notch's Trust Center Ask a question

notch

AI Built for Regulated Industries

Security overview

At Notch, we believe that trust is not a feature - it is the foundation upon which every customer interaction is built. As organizations in financial services, healthcare, insurance, and other highly regulated sectors adopt agentic AI for customer support, the stakes of getting security, privacy, and compliance right have never been higher. This Trust Center is our public commitment to meeting that standard: a transparent, up-to-date record of the security controls, data protection practices, compliance certifications, and governance frameworks that underpin every Notch deployment.

Notch is purpose-built for the compliance demands of regulated industries. Our architecture is designed from the ground up to satisfy the requirements of frameworks including SOC 2 Type II, ISO 27001, GDPR, CCPA, and sector-specific obligations such as the FCA Consumer Duty and FFIEC guidance. Our AI agents operate within auditable, policy-bound guardrails, providing the control, explainability, and oversight that regulated environments require.

We partner with compliance, legal, and security teams as readily as we partner with customer experience teams, because in regulated domains, those conversations are inseparable. If you have questions that go beyond what is documented here, our security and compliance team is available at security@notch.cx.

Compliance

SOC 2 Type II

SOC 2 Type II

Compliant

Monitored by CISO99 continuous compliance scans.

ISO/IEC 27001:2022

ISO/IEC 27001:2022

Compliant

Monitored by CISO99 continuous compliance scans.

ISO/IEC 27017:2015

ISO/IEC 27017:2015

In progress

Monitored by CISO99 continuous compliance scans.

ISO 27018:2025

ISO 27018:2025

In progress

Monitored by CISO99 continuous compliance scans.

GDPR

GDPR

Compliant

Monitored by CISO99 continuous compliance scans.

CCPA

CCPA

Compliant

Monitored by CISO99 continuous compliance scans.

IPA (Israel Privacy Act)

IPA (Israel Privacy Act)

Compliant

Monitored by CISO99 continuous compliance scans.

CSA STAR

CSA STAR

Compliant

Monitored by CISO99 continuous compliance scans.

NIST CSF

NIST CSF

Compliant

Monitored by CISO99 continuous compliance scans.

PCI DSS

PCI DSS

Compliant

Monitored by CISO99 continuous compliance scans.

EU AI Act

EU AI Act

Compliant

Monitored by CISO99 continuous compliance scans.

Resources

View all

Certifications & audits

Penetration tests

Policies

Privacy

Controls

Updated Jul 8, 2026 View all
Product Security
  • Secure Software Development Lifecycle established
  • Penetration Testing conducted
  • Change Management procedures enforced
View 4 more Product Security controls
Access Management
  • Role Based Access Control (RBAC) established
  • Multi Factor Authentication implemented
  • User Access Reviews conducted
View 6 more Access Management controls
Security and Continuity Procedures
  • Business Continuity and Disaster Recovery plans established
  • Continuity and Disaster Recovery plans tested
  • Incident Response plan tested
View 4 more Security and Continuity Procedures controls
Data Security
  • Encryption at rest implemented
  • Encryption in transit implemented
  • Encryption key management process established
View 1 more Data Security control
Organization Security
  • Risk Assessment and treatment established
  • Vendor Risk Management established
  • Asset Management maintained
View 6 more Organization Security controls
Endpoint Security
  • Endpoint Detection and Response established
  • Disk encryption enforced
  • Threat and Malware protection enforced
View 1 more Endpoint Security control

Subprocessors

  • AzureCloud service provider
  • CloudflareWeb infrastructure platform providing CDN, DNS and security services
  • CoralogixLogging & monitoring
  • DescopeUser management, authentication & authorization
  • DocuSignWorkspace productivity and collaboration
  • Google WorkspaceWorkspace productivity and collaboration
  • LogRocketAnalytics and BI
  • MondayWork OS for project and workflow management
  • OpenAILarge Language Model provider
  • RenderAudit logging and monitoring
  • SlackWorkspace productivity and collaboration

Frequently asked questions

How is my data encrypted?

All Notch web traffic sent over the public internet is encrypted in transit using TLS 1.2+, and data at rest is encrypted with AES-256. A formal encryption key management process governs the lifecycle of cryptographic keys.

Which compliance certifications does Notch hold?

Notch is certified for SOC 2 Type II and ISO 27001, and complies with GDPR, CCPA, and HIPAA. Our architecture is also designed to satisfy sector-specific obligations such as the EU AI Act, FCA Consumer Duty, and FFIEC guidance.

Who can access customer data?

Access is granted on the principle of least privilege using Role-Based Access Control, enforced with single sign-on and multi-factor authentication. Production and production database access are restricted, access requests follow a defined approval process, and user access reviews are conducted regularly. Audit logs capture all activity on production systems.

Does Notch perform penetration testing and vulnerability scanning?

Yes. Independent penetration tests are conducted regularly, complemented by ongoing vulnerability scanning, intrusion detection systems, and a secure software development lifecycle. A penetration test summary is available on request. We also operate a responsible disclosure program - reports can be sent to security@notch.cx.

How does Notch keep AI agents compliant and auditable?

Notch AI agents operate within deterministic, policy-bound guardrails that control when and how AI engages. Every decision is logged with its reasoning and source references, providing a full audit trail for QA, compliance review, and regulators. Behavior is customizable by line of business, geography, and customer tier, with escalation paths and approval workflows reflecting your governance model.

What happens if there is a service disruption or security incident?

Notch maintains tested Business Continuity, Disaster Recovery, and Incident Response plans. Production runs across multiple availability zones with continuous monitoring, and data backups and restoration procedures are tested regularly.

Does Notch use third-party subprocessors?

Yes. Notch uses a limited set of vetted subprocessors, listed on this page, to deliver its service. Every vendor goes through a strict approval process requiring SOC 2 / ISO 27001 and data regulation compliance, and is reviewed on an ongoing basis.

Is my data used to train AI models?

No. Neither Notch nor its LLM API vendors train models on customer data. AI providers are accessed exclusively through enterprise accounts with zero data retention, and are chosen specifically for their security and privacy posture.

Where is my data stored, and is it isolated from other customers?

Notch offers EU data residency options and enforces strong separation between tenant data - multitenant deployments run on separate servers, with an option for a fully separate environment and infrastructure. Databases run with replicas, servers autoscale, and vendors provide multi-zone fallback for redundancy and disaster recovery.

How does Notch handle data retention, deletion, and privacy compliance?

Notch's privacy program is led by a dedicated Data Protection Officer and complies with GDPR, CCPA, and other major regional regulations. A DPA covers retention periods that you decide, with configurable retention and secure deletion, purpose limitation, data minimization, and automatic or API-based data redaction.

What deployment options does Notch offer?

Notch runs as SaaS on cloud servers in a private VPC, protected by WAF and DDoS protection, IP access restrictions, and strong authentication, with authentication and authorization (SSO, MFA, PassKeys) via Descope and integration with enterprise IAM. A BYOC (bring your own cloud) option is available for deploying compute, storage, and integrations within your own environment.