Mortgage AI built with security and compliance at the core.

Addy AI is SOC 2 Type 2 compliant. We're committed to compliance, data security and privacy, protecting your data and meeting top enterprise security and compliance standards.

SOC 2 Type II
Independently audited
GLBA aligned
Financial data safeguards
CCPA aligned
Consumer privacy by default
AES-256 / TLS 1.2+
Encryption in transit & at rest

Enterprise-grade security for mortgage AI.

Mortgage runs on documents that carry the most sensitive details of a borrower's life. Before we shipped a single agent, we built the controls underneath it, so loan officers can move faster without ever moving outside the lines.

SOC 2 Type II audited
Customer data never trains shared models
Deployed inside Encompass and MeridianLink
The Addy security model

Our six security and compliance principles behind every AI Agent action.

01

Encryption everywhere

Data is encrypted at rest with AES-256 using 256-bit data encryption keys across all databases, data stores, and file systems. Data in transit uses TLS 1.2+, including external transmissions and sensitive email.

02

Least-privilege access

Role-based access, SSO and SCIM provisioning, hardware-key MFA for all employees, and time-bound, audit-logged production access.

03

Tenant isolation

Per-lender logical isolation across storage, queues, and model contexts. Your loan data is never used to train shared models.

04

Continuous monitoring

24/7 anomaly detection, vulnerability scanning, dependency review, and quarterly penetration tests by independent third parties.

05

Responsible AI

Model outputs are constrained, traceable, and reviewable. We log prompts and tool calls so every agent action can be audited end-to-end.

06

Incident response

On-call runbooks, customer notification SLAs, and post-incident reviews. Status and security advisories published transparently.

Trust Center

Every policy, every control, in one place.

A summary of how Addy AI operates as a security organization. Expand any topic for detail. SOC 2 reports, completed questionnaires, and policy documents are available under NDA.

Audited against
AICPA SOC 2
SOC 2 Type 1
Attested
AICPA SOC 2
SOC 2 Type 2
Attested
Foundations

Who we are as a security organization, and the audited frameworks we operate under.

Product & Data

How the platform is built, how data flows through it, and how we protect what's inside.

Access & Infrastructure

Who can touch what, and the systems we trust to run beneath the product.

Operations

The day-to-day discipline that keeps the system trustworthy over time.

Partners & integrations

Deployed inside the systems of record for American lending.

We don't ask lenders to move their data to us. Addy operates inside the platforms that already pass their security reviews, under their controls, their auditors, and their procurement.

ICE Mortgage Technology logo
ICE Mortgage Technology
Encompass® integration partner
MeridianLink logo
MeridianLink
Mortgage platform partner
Backed by

The institutions and programs supporting our work.

Carnegie Mellon University logo
Carnegie Mellon University
GitHub logo
GitHub
NVIDIA Inception logo
AI startup program
Microsoft for Startups logo
Founders Hub
Google for Startups logo
Cloud & Startups program

Press

Frequently asked questions

Do you train models on our borrower data?
No. Customer data is never used to train shared or third-party foundation models. Tenant data stays isolated to your workspace.
Where is data hosted?
With an enterprise-grade cloud provider. All data is encrypted at rest with AES-256 using built-in key management.
How do you handle subprocessors?
Our subprocessor list is published in the Trust Center with change notifications. All subprocessors are reviewed against our security and privacy criteria.
Can we get your SOC 2 report and pen test summary?
Yes. Request them through the Trust Center. Reports are released under NDA, usually within one business day.

Get in touch with our compliance and security team.

security@addy.com