Security overview
At Notch, we believe that trust is not a feature - it is the foundation upon which every customer interaction is built. As organizations in financial services, healthcare, insurance, and other highly regulated sectors adopt agentic AI for customer support, the stakes of getting security, privacy, and compliance right have never been higher. This Trust Center is our public commitment to meeting that standard: a transparent, up-to-date record of the security controls, data protection practices, compliance certifications, and governance frameworks that underpin every Notch deployment.
Notch is purpose-built for the compliance demands of regulated industries. Our architecture is designed from the ground up to satisfy the requirements of frameworks including SOC 2 Type II, ISO 27001, GDPR, CCPA, and sector-specific obligations such as the FCA Consumer Duty and FFIEC guidance. Our AI agents operate within auditable, policy-bound guardrails, providing the control, explainability, and oversight that regulated environments require.
We partner with compliance, legal, and security teams as readily as we partner with customer experience teams, because in regulated domains, those conversations are inseparable. If you have questions that go beyond what is documented here, our security and compliance team is available at security@notch.cx.
Compliance
SOC 2 Type II
SOC 2 Type II
Compliant
Monitored by CISO99 continuous compliance scans.
ISO/IEC 27001:2022
ISO/IEC 27001:2022
Compliant
Monitored by CISO99 continuous compliance scans.
ISO/IEC 27017:2015
ISO/IEC 27017:2015
In progress
Monitored by CISO99 continuous compliance scans.
ISO 27018:2025
ISO 27018:2025
In progress
Monitored by CISO99 continuous compliance scans.
GDPR
GDPR
Compliant
Monitored by CISO99 continuous compliance scans.
CCPA
CCPA
Compliant
Monitored by CISO99 continuous compliance scans.
IPA (Israel Privacy Act)
IPA (Israel Privacy Act)
Compliant
Monitored by CISO99 continuous compliance scans.
CSA STAR
CSA STAR
Compliant
Monitored by CISO99 continuous compliance scans.
NIST CSF
NIST CSF
Compliant
Monitored by CISO99 continuous compliance scans.
PCI DSS
PCI DSS
Compliant
Monitored by CISO99 continuous compliance scans.
EU AI Act
EU AI Act
Compliant
Monitored by CISO99 continuous compliance scans.
Resources
View allCertifications & audits
- SOC 2 Type II report Request access
- ISO 27001 certificate Request access
Penetration tests
- Penetration test summary Request access
Policies
- Information security policy Request access
Privacy
- Secure Software Development Lifecycle established
- Penetration Testing conducted
- Change Management procedures enforced
- Role Based Access Control (RBAC) established
- Multi Factor Authentication implemented
- User Access Reviews conducted
- Business Continuity and Disaster Recovery plans established
- Continuity and Disaster Recovery plans tested
- Incident Response plan tested
- Encryption at rest implemented
- Encryption in transit implemented
- Encryption key management process established
- Risk Assessment and treatment established
- Vendor Risk Management established
- Asset Management maintained
- Endpoint Detection and Response established
- Disk encryption enforced
- Threat and Malware protection enforced
Subprocessors
- Azure • Cloud service provider
- Cloudflare • Web infrastructure platform providing CDN, DNS and security services
- Coralogix • Logging & monitoring
- Descope • User management, authentication & authorization
- DocuSign • Workspace productivity and collaboration
- Google Workspace • Workspace productivity and collaboration
- LogRocket • Analytics and BI
- Monday • Work OS for project and workflow management
- OpenAI • Large Language Model provider
- Render • Audit logging and monitoring
- Slack • Workspace productivity and collaboration
Frequently asked questions
How is my data encrypted?
All Notch web traffic sent over the public internet is encrypted in transit using TLS 1.2+, and data at rest is encrypted with AES-256. A formal encryption key management process governs the lifecycle of cryptographic keys.
Which compliance certifications does Notch hold?
Notch is certified for SOC 2 Type II and ISO 27001, and complies with GDPR, CCPA, and HIPAA. Our architecture is also designed to satisfy sector-specific obligations such as the EU AI Act, FCA Consumer Duty, and FFIEC guidance.
Who can access customer data?
Access is granted on the principle of least privilege using Role-Based Access Control, enforced with single sign-on and multi-factor authentication. Production and production database access are restricted, access requests follow a defined approval process, and user access reviews are conducted regularly. Audit logs capture all activity on production systems.
Does Notch perform penetration testing and vulnerability scanning?
Yes. Independent penetration tests are conducted regularly, complemented by ongoing vulnerability scanning, intrusion detection systems, and a secure software development lifecycle. A penetration test summary is available on request. We also operate a responsible disclosure program - reports can be sent to security@notch.cx.
How does Notch keep AI agents compliant and auditable?
Notch AI agents operate within deterministic, policy-bound guardrails that control when and how AI engages. Every decision is logged with its reasoning and source references, providing a full audit trail for QA, compliance review, and regulators. Behavior is customizable by line of business, geography, and customer tier, with escalation paths and approval workflows reflecting your governance model.
What happens if there is a service disruption or security incident?
Notch maintains tested Business Continuity, Disaster Recovery, and Incident Response plans. Production runs across multiple availability zones with continuous monitoring, and data backups and restoration procedures are tested regularly.
Does Notch use third-party subprocessors?
Yes. Notch uses a limited set of vetted subprocessors, listed on this page, to deliver its service. Every vendor goes through a strict approval process requiring SOC 2 / ISO 27001 and data regulation compliance, and is reviewed on an ongoing basis.
Is my data used to train AI models?
No. Neither Notch nor its LLM API vendors train models on customer data. AI providers are accessed exclusively through enterprise accounts with zero data retention, and are chosen specifically for their security and privacy posture.
Where is my data stored, and is it isolated from other customers?
Notch offers EU data residency options and enforces strong separation between tenant data - multitenant deployments run on separate servers, with an option for a fully separate environment and infrastructure. Databases run with replicas, servers autoscale, and vendors provide multi-zone fallback for redundancy and disaster recovery.
How does Notch handle data retention, deletion, and privacy compliance?
Notch's privacy program is led by a dedicated Data Protection Officer and complies with GDPR, CCPA, and other major regional regulations. A DPA covers retention periods that you decide, with configurable retention and secure deletion, purpose limitation, data minimization, and automatic or API-based data redaction.
What deployment options does Notch offer?
Notch runs as SaaS on cloud servers in a private VPC, protected by WAF and DDoS protection, IP access restrictions, and strong authentication, with authentication and authorization (SSO, MFA, PassKeys) via Descope and integration with enterprise IAM. A BYOC (bring your own cloud) option is available for deploying compute, storage, and integrations within your own environment.