Security & Compliance

Security architecture, end to end.

Boutique investment firms can't take chances on security or compliance. Bloxii is built to the standards your auditors, regulators, and clients expect — pulled forward from typical SaaS timelines because the buyer demands it. Plus the architectural commitments that matter for AI-native finance products.

Certifications & roadmap

Live, in progress, and on the roadmap.

Status is updated as evidence is collected, audits complete, and certificates issue. Honest timeline. No marketing-grade overstatements.
Live

GDPR Compliance

Built into product from day one. UK and EU data residency. Customer rights honored.

Target:Day 1
Live

FCA-Aware Deployment

Form Gabriel automation, MiFID II reporting, AIFMD support built into platform.

Target:Day 1
In Progress

UK Cyber Essentials Plus

UK government and FCA-aligned firms procurement standard.

Target:Q3 2026
In Progress

SOC 2 Type II

Evidence collection from day one with Drata. Required by enterprise buyers.

Target:Q1 2027
Roadmap

ISO/IEC 42001:2023

AI Management System standard, finalised December 2023. Hebbia has it as a live certification; Harvey and Rogo have not yet certified at time of writing. Pulled forward to ship concurrent with SOC 2 Type II — institutional-tier buyers in 2026–2027 will procure with ISO 42001 as a table-stakes requirement.

Target:Q3–Q4 2027 (post-Series A)
Roadmap

EU AI Act compliance

Vendor compliance for UK customers' EU LP bases that require their fund managers to use AI vendors that are EU AI Act compliant. This is vendor procurement, not EU market expansion. Bloxii's UK Year 1 / US Year 2 commitment is unchanged.

Target:Q1 2027

Data handling principles

Your data stays your data.

Six principles guide how Bloxii handles customer data. They are contractually committed and reflected in our security architecture.

Per-firm data isolation

Each customer gets a tenant-isolated environment. Your data never trains shared models. Customer data is never combined across firms.

Read-only by default

Bloxii integrates via read-only OAuth where systems support it. Write actions are explicit, audited, and require human-in-the-loop approval.

Audit trail on every action

Every agent decision, document touched, and human approval is logged for inspection by auditors and regulators.

UK & US data residency

Production data stays in UK regions for UK customers (Year 1) and US regions for US customers (Year 2+). Data residency is contractually committed. Bloxii does not host customer data in EU regions — UK customers' EU LP bases are served via vendor compliance, not data hosting.

MCP endpoint access control

Every external agent invocation via Bloxii's MCP endpoints is authenticated, scoped to specific capabilities, logged for audit, and bound by the same per-firm isolation as our web interface. Customer agents calling Bloxii capabilities have the same security boundaries as customer team members.

Multi-model provider independence

Bloxii Router routes tasks across multiple AI providers (Anthropic Claude default, with multi-model fallback). Customer-specific data residency commitments are contractual obligations Bloxii holds independently of any AI provider's terms. Material provider changes trigger customer notification and migration procedures. Provider independence is a feature, not a hidden architectural detail.

Our six-pillar security commitment

Six binding pillars. In every customer contract.

Each pillar is a binding commitment in customer contracts. Bloxii's Security Addendum includes auditable, enforceable terms aligned with SOC 2, ISO 42001, and GDPR.
01

Dedicated security expertise

Bloxii's in-house security function (post-seed hire) covers infrastructure, product, and operations with 24/7 monitoring. Security ownership is named, not outsourced.

02

UK / US data sovereignty

UK data residency Year 1; US data residency Year 2 for US customers. Customer data does not cross contractual residency boundaries. No EU hosting.

03

No model training on customer data

Bloxii's commercial agreements with AI providers explicitly prohibit training use of customer data. Contractual guarantee in Bloxii's Platform Agreement, auditable on request.

04

Enterprise-grade default features

SAML SSO, audit logs, IP allow-listing, data lifecycle management, role-based access control. Standard at all tiers from launch — not gated behind enterprise tiers.

05

Enforceable commitments

Bloxii's Security Addendum includes binding terms on data protection, data access, incident response SLAs, and other controls aligned with SOC 2, ISO 42001, and GDPR. Auditable, enforceable, built to exceed standard vendor terms.

06

Independently tested

Third-party security audits planned post-seed. Named auditor candidates: Schellman, NCC Group, Bishop Fox — the same firms used by Harvey. External validation, not self-attestation.

AI data handling

The questions sophisticated buyers ask.

Boutique investment firms evaluating AI vendors ask AI-specific questions that traditional compliance frameworks don't fully cover. Procurement teams scan; here's how Bloxii answers all of them at a glance.

Q01

Where does customer data go during agent execution?

Customer data flows through Bloxii's UK or EU-hosted infrastructure to commercial AI providers via authenticated APIs, processed in transit, and returned to Bloxii. Data never crosses the customer's contractual data residency boundary.

Q02

Is customer data used to train AI models?

No. Bloxii's commercial agreements with AI providers explicitly prohibit training use of customer data. Customer data is processed in stateless inference mode and discarded by AI providers per their data processing agreements.

Q03

Can customers audit which AI model touched which document?

Yes. Every agent execution is logged with model version, timestamp, input source, output, and approval state. Full audit trail available via Bloxii's admin interface and exportable for regulatory or audit purposes.

Q04

How does Bloxii handle hallucinations in regulatory contexts?

All regulatory and financial outputs include source citations grounded in customer data. Critical decisions (regulatory submissions, financial commitments, LP communications) require explicit human approval. Agent confidence scores are exposed to reviewers; low-confidence outputs are flagged for additional review.

Q05

What happens if an AI provider changes data handling terms?

Bloxii's multi-model architecture allows rapid switching between AI providers. Customer-specific data residency commitments are contractual obligations Bloxii holds independently of AI provider terms. Material changes to provider terms trigger customer notification and migration procedures if needed.

Q06

What happens if Bloxii ceases operations?

Customer data export rights are contractually guaranteed. Customer-specific configuration and integration code is held in escrow with a third-party escrow agent. Runbook handoff procedures ensure operational continuity for 90 days post-termination. This is operational maturity baseline for enterprise procurement.

Full security architecture, data flow diagrams, and technical due diligence materials available upon request to security@bloxii.com or via the security page.

Security disclosures and questions: security@bloxii.com