Purpose

Unique builds enterprise-grade AI solutions for financial services institutions worldwide. Security, compliance, and data protection are foundational to Unique AI. This document outlines the compliance measures and technical controls that enable financial institutions to deploy Unique AI while meeting regulatory requirements across jurisdictions.

Our approach:

• Security-first architecture: End-to-end encryption, zero-trust access controls, and continuous vulnerability management.

• Regulatory compliance: Alignment with GDPR, FINMA, MAS, NY SHIELD Act, and other financial services regulations globally.

• LLM flexibility: Connect to any LLM provider, like Microsoft Azure OpenAI, AWS Bedrock, Anthropic Claude, open-source models (like Mistral, Gwen), or your own fine-tuned models.

• Deployment options: Unique-hosted in the cloud, or self hosted tenant either on-premises or on their cloud environment such as Azure or AWS.

Unique is also dedicated to a comprehensive AI Governance Framework that aligns with its clients' values and regulatory compliance while also meeting high integrity standards. We employ a variety of strategies for AI Governance, including automated benchmarking for quality and correctness checks, the implementation of principles and operationalization encompassing processes, procedures, policies, and regulations, and risk mitigation for GenAI.

Further information can be found here: AI Governance Framework.

Unique Compliance Layer: Technical Implementation

In the given context, the compliance layer refers to a set of principles, processes, and control structures established by Unique to comply with legal, regulatory, and internal requirements for our financial services customers. It is a mechanism that protects the organization from compliance breaches and ensures that it adheres to generally accepted market standards, codes of conduct and data protection principles, globally.

The compliance layer includes measures such as data minimization, encryption, anonymization, classification of data, access control, and responsible prompting. By implementing Unique’s compliance layer for Unique AI, FSI can strengthen the security of applications, increase protection against potential threats, and ensure compliance with both local and global data protection and banking regulations.

Risk Management

We conduct monthly and quarterly risk reviews with relevant stakeholders according based on ISO 27001 and SOC 2. Furthermore, we regularly review and assess such as

• Generative AI Guardrails in Banking

• OWASP Top 10 for LLM Applications 2025

Secure Software Development Lifecycle (SSDLC) embeds security throughout development. We are enrolled in an A continuous bug bounty program to incentivizes responsible disclosure of security vulnerabilities. Documented incident response procedures ensure rapid containment and remediation of security events. We also run a managed Bug Bounty Program involving external researchers to find vulnerabilities in our services.

Privacy by Design and Default

Privacy protections begin at the architectural level, ensuring data is processed with minimum necessary access and retained only as long as required.

• Data is encrypted at rest using AES-256 and in transit using TLS 1.2+, with HSM-backed key management to ensure cryptographic security.

  Data subject rights, including access, rectification, erasure, and portability, are built into core workflows.

• Our SOC 2 Type II compliance demonstrates continuous adherence to confidentiality and privacy principles through independent auditor verification.

Zero-Trust Access Framework

Access control applies to both human users and autonomous AI agents, with granular permissions defining who can access data, which AI systems can process information, and which tools agents can use. Workspace isolation creates secure boundaries for different projects, departments, or client engagements. Temporary privileged access ensures administrators never have standing access to sensitive data. All elevated permissions are time-bound, purpose-specific, and logged. ISO 27001 certified access control processes ensure consistent application of security policies. Integration with existing identity providers enables seamless authentication while maintaining security controls.

Digital Sovereigntly

Digital sovereignty ensures full control over deployment architecture and data jurisdiction. Organizations choose their preferred deployment model, such as cloud (Single-tenant or multi-tenant), self-hosted, or on-premises and select their data jurisdiction (CH, EU, US, UK, APAC) to meet local regulatory requirements. This flexibility enables compliance with data residency mandates while maintaining operational efficiency across different regulatory environments.

Key capabilities:

• Flexible deployment models (Unique hosted, self-hosted, or on-premises).

• Jurisdiction selection for data processing and storage. Clients can choose where their data is processed, hosted, and stored.

• Compliance with regional data sovereignty requirements.

• Architectural choices aligned with organizational security posture.

Human in the loop Governance

Human oversight mechanisms ensure AI systems enhance rather than replace human judgment in critical decisions. Advanced RAG technology with document-level highlighting enables users to verify information sources directly.

Key controls:

• Benchmarking: To ensure AI systems behave as intended and implement Human in the Loop when appropriate.

• Our ISO 42001 certification - the international standard for AI Management Systems - validates that quality controls, risk management processes, and continuous improvement mechanisms meet rigorous third-party requirements. For high-stakes decisions, approval workflows require human sign-off before execution.

Read here more how we incorporated Human in the loop for MCP:
MCP Governance Framework V1.0

Data Leakage Prevention (DLP)

Our DLP integration leverages clients' existing infrastructure through three complementary methods. DLP Proxy integration enables real-time scanning of HTTPS traffic through managed devices and VPNs, inspecting content before it reaches external systems. Analytics APIs support post-processing controls, allowing compliance teams to extract and scan prompts, messages, and chats through their existing DLP systems on a scheduled basis. A third method, Pre-LLM DLP calling, can be implemented for clients requiring real-time scanning before LLM processing. Unique's architecture supports standard HTTPS interception without exotic configurations to ensure compatibility with leading DLP vendors.

Read here for more information: Data Leakage Prevention (DLP)

Enterprise Legal Framework

Our Legal Framework is designed to address the stringent requirements of financial services AI deployments. Jurisdiction-specific amendments incorporate regulatory expectations from bodies like FINMA, FCA, and MAS. rights. Banking secrecy clauses ensure confidentiality protections equivalent to traditional banking relationships. The framework establishes clear liability boundaries, defines data ownership explicitly, and provides regulatory examination rights that enable financial institutions to demonstrate compliance during audits. These protections can evolve as AI regulations develop, to ensure continued alignment with emerging requirements like the EU AI Act.

FSI-specific Amendments for Unique hosted deployments

We also have FSI amendments for our contracts with Microsoft in place:

• M453 – FINMA. This is the financial service amendment (FSA) and Jurisdiction-specific companion amendment (Switzerland) including FINMA requirements like audit rights.

• M744 – bank secrecy. This includes professional secrecy and industry-specific terms regarding banking secrecy.

• M329 – CH data protection. This is the amendment for Switzerland regarding Microsoft products and services Data Protection Addendum

Feature overview

Overview of feature availability depending on deployment model