Security & Compliance
Enterprise-grade security. Regulatory-grade compliance.
TakeNote is built to handle some of the most sensitive conversations in financial services — client meetings where pensions, investments, health conditions, and family finances are discussed openly and in detail.
Security architecture
Multi-layered protection designed for regulatory environments
UK-only infrastructure
TakeNote's entire platform runs on Microsoft Azure in the UK South region. All data processing, storage, and backup takes place exclusively within the United Kingdom.
Encryption
AES-256 encryption at rest, TLS 1.3 in transit. Encryption keys managed through Azure Key Vault with automatic annual rotation.
Network security
Virtual Private Network deployment with Web Application Firewall, DDoS Protection, and network segmentation across presentation, application, and data tiers.
Access controls
Role-based access, multi-factor authentication enforced, SSO via SAML 2.0 and OpenID Connect, optional IP whitelisting.
Audit logging
Immutable audit trail for every action. Logs retained for minimum 2 years, tamper-protected with write-once storage.
Compliance framework
Built to support FCA-regulated advisory firms
FCA-structured output
Meeting summaries structured around suitability requirements, risk profiles, capacity for loss, and vulnerable customer indicators.
MiFID II retention
Five-year compliant record retention with immutable timestamps and complete audit trails on all records.
Consumer Duty evidence
Captures structured evidence of client understanding, value demonstration, and fair outcomes.
UK GDPR compliant
Full compliance with UK General Data Protection Regulation and Data Protection Act 2018. Comprehensive Data Processing Agreement available.
ICO Registration: ZB622400
Data protection
Your data, your control, your terms
No training on client data
Client data is never used to train, fine-tune, or improve AI models. This applies to all data without exception — contractually guaranteed.
Data isolation
Each advisory firm's data is logically isolated. No data sharing, aggregation, or cross-firm access.
Secure deletion
Industry-standard secure deletion methods at end of retention period. Written confirmation provided within 30 days.
Data portability
Export data at any time in structured, machine-readable formats. Full data return or secure deletion on service termination.
Operational security
Security practices embedded in our operations
Personnel security
Background checks including DBS, binding confidentiality obligations, mandatory annual training, immediate access revocation on departure.
Vulnerability management
Continuous automated scanning, dependency monitoring, defined remediation SLAs (Critical 24h, High 7d, Medium 30d).
Penetration testing
Annual penetration testing by independent CREST-accredited firm covering application, infrastructure, and API security.
Incident response
Documented incident response procedure tested through regular tabletop exercises. Advisory firm notified within 24 hours of any breach.
Business continuity
Automated backups with 1-hour RPO and 4-hour RTO. 99.9% uptime SLA with annual disaster recovery testing.
Certifications and standards
| Certification | Status |
|---|---|
| Cyber Essentials Plus | Certified |
| ISO 27001 | In progress |
| ICO registered | ZB622400 |
| GDPR compliant | Yes |
| Annual CREST penetration test | Yes |
Due diligence support
Documentation to support your vendor assessment
Data Processing Agreement (DPA)
Data Protection Impact Assessment (DPIA) summary
Sub-processor list with processing locations
Security whitepaper
Penetration testing summary (under NDA)
Infrastructure architecture overview
Responses to vendor assessment questionnaires (SIG Lite, CAIQ, or bespoke formats)
To request documentation or arrange a security discussion, contact dpo@takenote.ai
Frequently asked questions
TakeNote Ltd
7 Bell Yard, London WC2A 2JR
Registered in England and Wales
Company number: 14828718
ICO registration: ZB622400