Skip to main content
SOC 2 Type II Certified

Security you can trust

Your financial data is sacred. We use bank-level security to ensure it stays protected.

🛡️

SOC 2 Type II

Certified

Annual audits ensure our security controls meet the highest standards.

🇪🇺

GDPR Compliant

Compliant

Full compliance with EU data protection regulations.

🔐

256-bit Encryption

Active

All data encrypted at rest and in transit using AES-256.

⬆️

99.9% Uptime SLA

Guaranteed

Guaranteed availability with automatic failover systems.

Security Best Practices

We implement industry-leading security practices across every layer of our infrastructure.

Data Protection

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Daily encrypted backups
  • Geo-redundant storage
  • Automatic data retention policies

Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • SSO with SAML 2.0 (Enterprise)
  • Audit logs for all actions
  • IP allowlisting (Enterprise)

Infrastructure

  • Hosted on AWS with SOC 2 compliance
  • Auto-scaling infrastructure
  • DDoS protection
  • WAF (Web Application Firewall)
  • Regular penetration testing

Operational Security

  • Background checks for all employees
  • Security awareness training
  • 24/7 security monitoring
  • Incident response plan
  • Bug bounty program
TRUST CENTER

Compliance documentation

Access our security documentation, compliance certifications, and audit reports. Enterprise customers get access to our full Trust Center.

Request accessPrivacy policy
📋
SOC 2 Report
📄
Pen Test Results
🔏
DPA Template
📊
Security FAQ

Security FAQ

How is my financial data protected?

All financial data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit. We never store raw banking credentials—all bank connections go through Plaid with tokenized access.

Who can access my data?

Only you and team members you explicitly invite can access your data. Our engineering team cannot view your data without explicit written permission for support purposes, and all access is logged.

Where is my data stored?

Data is stored in AWS data centers in the United States with geo-redundant backups. Enterprise customers can request data residency in EU or other regions.

How do you handle data breaches?

We have a comprehensive incident response plan. In the unlikely event of a breach, affected customers are notified within 72 hours per GDPR requirements, with full transparency about the scope and remediation steps.

Can I export or delete my data?

Yes, you can export all your data at any time in CSV or JSON format. You can also request complete data deletion, which is processed within 30 days per our data retention policy.

Do you sell my data?

Absolutely not. We never sell, share, or monetize your data. Your financial information is used solely to provide the culta.ai service to you.

Have security questions?

Our security team is happy to answer any questions about how we protect your data.

Contact security team