Security & Compliance

Built for regulated mortgage environments.

RED handles borrower PII, lender guidelines, and consent-bearing communications. Every control below is on by default — not a paid upgrade.

Request DPA
SOC 2 Type II
In progress · Q4
GLBA-aligned
In production
TCPA compliant
In production
E-Sign (ESIGN Act)
In production
CCPA / DPA available
On request

Nine controls, on by default

The stack a mortgage CISO would build if they had a full platform team — pre-configured.

Encryption everywhere
TLS 1.2+ in transit, AES-256 at rest. Field-level encryption for PII (SSN, DOB, account numbers).
SSO & RBAC
SAML 2.0 and OIDC (Okta, Azure AD, Google). Enterprise-tunable roles: LO, TC, processor, branch manager, admin.
SCIM provisioning
Automated join/move/leave. Deprovisioned users lose access within 60 seconds of IdP action.
Full audit trail
Every borrower touch, RED draft, staff edit, and consent event logged with actor, timestamp, IP, and version.
Guideline versioning
Agency + investor overlays tracked with change history. Roll back at any time. Every RED cite pins the version it used.
Consent capture
TCPA + E-Sign consent captured with version, timestamp, and IP on every touchpoint. Exportable, borrower-viewable.
Data ownership & export
You own your data. Export any time. Deletion honored within 30 days (or on your DPA-defined SLA).
Isolated tenancy
Each enterprise gets a logically isolated tenant. Backups encrypted, versioned, and geo-replicated.
24/7 monitoring
Anomaly detection on auth, exfiltration, and abuse patterns. Named security contact for enterprise customers.
AI safety

How RED thinks — safely

RED is a mortgage AI, not a general chatbot. Every response is grounded, cited, and reversible.

Grounded on your guidelines

RED will not invent a guideline. If your overlay doesn't cover it, RED cites the agency base and flags the gap.

Human-in-the-loop by default

Every borrower comm goes through your staff for approval unless you explicitly turn on autonomous send for low-risk categories.

No borrower PII in prompts

PII is tokenized before it hits any model. Model providers receive tokens, not names/SSNs/account numbers.

Model provider isolation

Zero data retention negotiated with our model providers. Nothing you send trains any general model.

Documents & downloads

Available under NDA for pilot conversations. Enterprise deployments receive the full pack.

Incident response

Named security contact for every enterprise customer. Confirmed incidents disclosed within 72 hours (or on your DPA SLA). Public status page at status.readinessiq.ai.

Ready for the security review?

We'll walk your team through architecture, controls, and answer your SIG. Then send the DPA.