WealthComply processes some of the most sensitive material in private wealth. Data is stored in Switzerland, AI runs inside the EU, and nothing is ever used to train a model. Here is exactly how it works.
We operate an ISO 27001‑aligned ISMS in production today — documented policy, control register, named ownership — with formal certification on a scheduled timeline. Our leadership has taken a comparable platform through certification before.
The international standard for AI management systems is on our certification roadmap. Our AI governance already mirrors its requirements: a model inventory, an AI‑specific risk register, and a record for every AI‑assisted output.
The platform is designed to satisfy UK GDPR, EU GDPR and the revised Swiss FADP simultaneously, with a DPA, subprocessor register and DPIA support ready for your data‑protection team.
DORA is not a certification, so we do not claim one. Our incident notification, third‑party risk and operational‑resilience practices are built to support clients whose regulators expect DORA‑aligned discipline from material ICT vendors.
A full evidence pack — Statement of Applicability, policy set, architecture documentation and control register — is available under NDA.
All customer data — entities, controlling persons, documents, audit history and encrypted backups — is stored at rest in Azure Switzerland North, and stays there.
Classification reasoning runs on Azure OpenAI in West Europe, within the EU data boundary. We will move to Swiss‑region capacity as Microsoft makes it generally available.
No customer data is routed to, processed in, or stored in the United States. Region pinning is enforced by Azure Policy to prevent accidental cross‑region deployment.
Your data is never used to train, fine‑tune or evaluate any AI model. This is both an Azure OpenAI configuration and a contractual commitment in our DPA.
TLS 1.2+ with HSTS on every public endpoint; AES‑256 across all databases, object storage, queues and logs. Backups remain encrypted and within Switzerland.
WealthComply staff cannot read your classifications, controlling‑person data or documents without written, time‑bound, logged approval from your administrator — recorded in your own audit trail.
Permissions map to how compliance teams work — Reviewer, Officer, Administrator and Auditor — with SSO via Microsoft Entra ID and MFA enforceable per workspace.
Cloudflare WAF and DDoS protection at the edge, private endpoints to datastores, Microsoft Defender for Cloud, and peer‑reviewed, pipeline‑controlled deployments.
Azure OpenAI in West Europe, within the EU data boundary. No routing to the US, no consumer AI services.
Contractually prohibited and technically configured. Our own evaluation uses synthetic or permissioned material only.
A structured rationale, the source documents cited, a calibrated confidence indicator, and the model version — recorded with each result.
The people using WealthComply confirm the underlying data and approve the output. The platform informs the review; it does not replace it.
Core hosting, database, storage and monitoring. Full platform data, resident in Switzerland.
AI inference for classification reasoning. Entity and document content during processing only — never retained for training.
Edge protection, WAF and DDoS mitigation; identity and SSO. Technical metadata and authentication tokens — no customer content.
Non‑essential telemetry (e.g. error monitoring) can be disabled per tenant for clients with the strictest Swiss‑only requirements. Clients are notified of material subprocessor changes with the right to object.