Security & Compliance
Bank-grade protection for your most sensitive lending data. We treat security as a foundational requirement, not an afterthought.
Compliance Framework
Certifications & Standards
ISO 27001 Aligned
Our information security management practices are aligned with the ISO 27001 framework, covering risk assessment, access control, and incident management.
GDPR Compliant
We operate in full compliance with the UK General Data Protection Regulation and the Data Protection Act 2018, with appointed data protection responsibilities.
UK Data Residency
All platform data is stored exclusively on UK-based servers. No personal or financial data is transferred outside of the United Kingdom or EEA.
SOC 2 Type II Aligned
Our operational controls for security, availability, and confidentiality are designed in alignment with SOC 2 Type II trust service criteria.
Technical Controls
Security Features
256-bit AES Encryption
All data at rest is encrypted using AES-256, the same standard used by financial institutions and government agencies globally.
TLS 1.3 in Transit
All data in transit is protected using TLS 1.3. Older protocol versions (TLS 1.0, 1.1) and weak cipher suites are explicitly disabled.
Role-Based Access Control
Granular RBAC ensures users can only access data appropriate to their role. Administrators, standard users, and read-only roles have distinct permission sets.
Multi-Factor Authentication
MFA is available to all users and enforced for all administrator accounts. We support TOTP-based authenticator apps and SMS-based verification.
Audit Logging
Every data access, export, login, and configuration change is recorded in an immutable audit log with timestamps and user attribution. Logs are retained for 12 months.
Penetration Tested
The platform undergoes regular penetration testing by independent third-party security specialists. Critical findings are remediated within 30 days of disclosure.
Data Storage & Practices
Where Data Lives
All platform data is stored on UK-based servers operated through ISO 27001 certified data centre providers. Our primary and disaster recovery environments are both located within the United Kingdom. No data is transferred to or stored in jurisdictions outside the UK or EEA.
Retention Policy
Active account data is retained for the duration of your subscription. Contributed loan data is retained for up to 7 years to meet financial record-keeping obligations. Anonymised aggregate data may be retained indefinitely. Audit logs are retained for 12 months.
Deletion Rights
On account closure or written request, all personal and identifiable data is deleted within 30 days. You will receive written confirmation of deletion. Backups containing your data are purged within 90 days of the deletion request in accordance with our backup rotation schedule.
Regulatory Compliance
The Loan Intel platform is operated in accordance with the following regulatory frameworks applicable to UK-based SaaS platforms serving the financial services industry:
UK GDPR
We comply with the UK General Data Protection Regulation as retained in UK law following the departure from the European Union. This includes lawful basis for processing, data subject rights, privacy by design, and data breach notification obligations.
Data Protection Act 2018
Our practices align with the Data Protection Act 2018, which supplements the UK GDPR and governs the processing of law enforcement data and intelligence service data processing.
Regulatory Compliance Support
As a platform serving regulated lenders, we design our data handling and security practices to support our clients’ own compliance obligations, including operational resilience and data security requirements relevant to their business.
Incident Response
We maintain a 24-hour incident response SLA for security events. In the event of a confirmed data breach or security incident affecting your data, we will notify you within 24 hours of confirmation and provide a full written incident report within 72 hours.
Our incident response process follows the NCSC's guidance on cyber incident management and meets the ICO's 72-hour breach notification requirement under Article 33 of the UK GDPR.
Responsible Disclosure
Found a security vulnerability? We operate a responsible disclosure programme and take all reports seriously. Please contact us before public disclosure to allow time for remediation.
support@loan-intel.comView Responsible Disclosure Policy →Legal Documentation
Review our full suite of legal and compliance documentation, including our Privacy Policy, Data Processing Agreement, and Acceptable Use Policy.
View All Policies →