Security & architecture
Built for data that matters
Lending data demands infrastructure that takes security seriously — not as a feature checkbox, but as a foundational architecture decision. Multi-tenant isolation, comprehensive audit trails, and granular access controls — built into the architecture.
Architecture
Enterprise infrastructure, purpose-built for lending
CORE runs on Microsoft Azure with a multi-tenant architecture that isolates each organization's data at the database level — separate database instances per tenant, independently encrypted and recoverable.
- Azure Cloud Infrastructure
- Hosted on Microsoft Azure with enterprise SLAs, geo-redundant storage, and automatic failover.
- MongoDB Atlas
- Database layer on MongoDB Atlas with dedicated clusters per tenant, encrypted storage, and automated backups.
- Anthropic Claude AI
- AI capabilities powered by Anthropic's Claude with data processing agreements and no model training on customer data.
Multi-tenant isolation architecture
Isolated instance
Isolated instance
Isolated instance
Data isolation
Your data is yours. Period.
Multi-tenant isolation isn't a settings toggle in CORE — it's the architecture. Each organization operates in a completely separate database instance. There is no scenario where a query from one tenant returns another tenant's data, because the data doesn't live in the same database.
This isn't row-level security or shared-table filtering. It's physical separation at the database level. Each tenant's data is independently encrypted, independently backed up, and independently recoverable.
- Separate database instances per organization
- Independent encryption keys per tenant
- No shared tables or row-level filtering
- Independent backup and recovery per organization
- Tenant data never crosses boundaries in application logic
Isolation architecture comparison
A misconfigured query, a missing filter, an ORM bug — and data crosses boundaries.
No shared tables. No filter dependencies. Each instance is independently encrypted and recoverable.
Full system access across all settings, users, and workflows
Access control
Right people. Right data. Right actions.
Role-based access control defines what each user can see and do—at the organization level, the deal level, and the feature level.
- Role-based access control (RBAC) with custom role definitions
- Organization-level permissions for system administration
- Deal-level access control — assign who can view, edit, or approve
- Feature-level permissions — control access to AI, export, admin functions
- Approval gates requiring specific roles for stage progression
- Session management with configurable timeout policies
Audit & compliance
Every action documented. Every decision traceable.
When an examiner asks how your team reached a conclusion, CORE has the answer. Every significant action in the system — document uploads, analysis changes, memo edits, AI generation events, approval decisions — is logged with the user, timestamp, and full context.
This isn't just a log file. It's a structured audit trail that connects actions to outcomes. Who changed this section? What was it before? What evidence was cited? When was it approved, and by whom?
- Comprehensive action logging with user attribution
- Before/after tracking for document and memo changes
- AI action audit trail — every generation, edit, and approval logged
- Evidence chain documentation from source to output
- Examiner-ready audit reports exportable per deal
- Retention policies configurable per organization
Data protection
Encrypted at rest. Encrypted in transit. No exceptions.
- TLS 1.2+ for all data in transit
- Every connection between clients, APIs, and services is encrypted with TLS 1.2 or higher. No exceptions, no fallback to unencrypted channels.
- AES-256 encryption for data at rest
- All stored data — documents, analysis, memos, and metadata — is encrypted at rest using AES-256 across every storage layer.
- Encrypted database connections
- Database connections use TLS encryption with certificate verification. No plaintext database traffic, even within the internal network.
- Secure file storage with access controls
- Uploaded documents are stored in encrypted blob storage with access policies scoped to the owning tenant and authorized users.
- API authentication with token rotation
- API access requires authenticated tokens with configurable expiration and automatic rotation. Revoked tokens are invalidated immediately.
- Secret management via Azure Key Vault
- Application secrets, encryption keys, and credentials are managed through Azure Key Vault with audit logging on every access.
AI governance
AI that operates within your boundaries
CORE uses Anthropic's Claude for AI capabilities. Your data is processed under data processing agreements that prohibit model training on customer data. AI outputs are governed by configurable controls.
Compliance readiness
Built for regulated environments
CORE is designed for lending environments subject to regulatory oversight. While specific certifications are program-dependent, the architecture is designed with these frameworks in mind.
- SOC 2 Type II
- Architecture designed to meet SOC 2 requirements for security, availability, and confidentiality.
- GLBA
- Data isolation and access controls support Gramm-Leach-Bliley Act safeguard requirements.
- Regulatory Audit Support
- Examiner-ready audit trails and evidence documentation for OCC, FDIC, and state examinations.
- Data Residency
- Azure infrastructure with configurable data residency for US-based data processing requirements.
Questions about security? Let's talk.
We're happy to walk through our architecture, share our security documentation, and discuss how CORE meets your compliance requirements.