═══════════════════════════════════════════════════════════════════════ BANKINGPITCH — SECURITY OVERVIEW Confidential — For prospective enterprise customers Version 1.0 — June 2026 ═══════════════════════════════════════════════════════════════════════ 1. DATA RESIDENCY ───────────────── • Private cloud deployment on Azure or AWS • Choice of UK, EU, US, or APAC deployment regions • Data residency contractually guaranteed • Customer data never leaves the designated region • Multi-tenant or single-tenant architecture options 2. ENCRYPTION ───────────── • Data at rest: AES-256 encryption • Data in transit: TLS 1.3 minimum • Database connections: SSL/TLS enforced • API keys and secrets: encrypted in environment variables • Backup encryption: AES-256 with customer-managed keys (CMK) option 3. ACCESS CONTROL ───────────────── • SAML 2.0 and OIDC single sign-on (SSO) • Compatible with Okta, Azure AD, Ping Identity, OneLogin • Multi-factor authentication (MFA) enforced by default • 5-tier role-based access control (RBAC): - Analyst: create and edit deals - Associate: create and edit deals - VP: create, edit, and approve (others' deals only — four-eye) - MD: full access including team management - Admin: system administration and user management • Session management: JWT with configurable expiry • IP allowlisting available on enterprise plans 4. AUDIT TRAIL ────────────── • Append-only audit log — cannot be modified or deleted • Every action logged: creation, generation, edits, approvals, exports • Timestamped entries with user attribution and metadata • WORM (Write Once Read Many) retention option • Compliance export: one-click audit trail PDF for regulators • Retention period: configurable, default 7 years • Admin dashboard for system-wide audit log review 5. FOUR-EYE PRINCIPLE (SEPARATION OF DUTIES) ───────────────────────────────────────────── • Deal creator cannot approve their own pitch book • Approval requires VP-level role or above • Enforced at API level — cannot be bypassed via UI • Both creator and approver identities permanently logged • Compliant with MiFID II and FCA review requirements 6. AI DATA USE POLICY ───────────────────── • BankingPitch uses Anthropic's Claude AI for content generation • Customer data is NOT used to train AI models • Anthropic data processing addendum available • AI never invents financial figures — all numbers from structured inputs • Generated content is stored in customer's database only • Model card available for MRM review (PRA SS1/23 compliant) 7. COMPLIANCE FRAMEWORKS ──────────────────────── • SOC 2 Type II: in progress • GDPR: compliant, DPA available • UK GDPR / Data Protection Act 2018: compliant • ISO 27001: aligned • MiFID II: four-eye principle, audit trail • FCA: review trail documentation • PRA SS1/23: MRM model card provided 8. INFRASTRUCTURE SECURITY ────────────────────────── • Cloud provider: Azure / AWS with enterprise support • Rate limiting on all API endpoints • DDoS protection via cloud provider • Regular vulnerability scanning • Dependency scanning and automated updates • Error boundary isolation — component failures don't cascade 9. PENETRATION TESTING ────────────────────── • Annual third-party penetration testing • Reports available on request under NDA • Bug bounty programme for responsible disclosure • Contact: security@bankingpitch.com 10. VENDOR RISK DOCUMENTATION ───────────────────────────── • Infosec DDQ (Due Diligence Questionnaire) pre-completed • CAIQ (Consensus Assessments Initiative Questionnaire) available • Sub-processor list maintained and available • Business continuity and disaster recovery plans documented • Insurance: professional indemnity and cyber liability ═══════════════════════════════════════════════════════════════════════ CONTACT Enterprise sales: enterprise@bankingpitch.com Security team: security@bankingpitch.com ═══════════════════════════════════════════════════════════════════════