Security & Trust
Nance works inside your financial systems, so security and responsible AI are foundations of the product, not afterthoughts. Here is how we protect your data and how we build AI we can stand behind.
We take building with AI seriously
Nance is not a thin layer over a language model. It is a system for running real financial operations, and we engineer it like one. A large part of our work goes into the parts customers never see: evaluating agent behaviour, verifying output, monitoring what runs in production, and keeping people in control of consequential actions.
The result is an assistant you can trust with sensitive financial processes, backed by the security practices and governance you would expect from a system that touches your books.
How we build and operate AI
Responsible AI, engineered in
Nance works alongside you like a virtual finance colleague. You get the most from her by directing her work and reviewing it, the way you would with any capable teammate, rather than accepting her output unchecked.
Evaluations before we ship
New agent behaviour is measured against evaluation suites before it reaches customers. We treat agent quality as something to test, not assume.
Agentic or deterministic by design
Routine financial processes can run as fixed, deterministic steps where reliability matters most, or as reasoning agents where judgement is needed. You can choose the right mode for each process rather than forcing everything through a model.
Self-reinforcing verification loops
Nance runs loops that memorise, judge and correct her work in a cycle, checking output against the underlying data so quality compounds over successive passes rather than relying on a single attempt.
Output monitoring and traceability
We track what the agents produce in operation. That visibility means behaviour can be reviewed and acted upon, so when something needs attention we can find it, investigate it and respond.
Human-in-the-loop approvals
Actions that change financial state, such as processing payments, ask for explicit human approval before they run. People stay in control of consequential steps.
Audit trails and logging
Workflows, tool calls and system activity are logged so every action Nance takes can be traced and reviewed.
Compliance and data protection
ISO 27001
In progressWe are implementing an information security management system and working towards ISO 27001 certification. The work covers our security policies, access controls, risk management and supplier governance.
GDPR
We process personal data under the GDPR, with Data Processing Agreements for our customers and technical and organisational measures under Article 32. Details of what we process, our sub-processors and data transfers are set out in our Privacy Policy.
How we protect your data
- EU data residency for customers who require it, so financial data can be kept and processed within the EU end to end.
- Encryption of data in transit and at rest, with access limited to authorised personnel on a need to know basis.
- Audit trails and system logging across workflows and integrations, so activity can be traced and reviewed.
- Regular testing and vulnerability management, with monitoring of the systems used to deliver the service.
- Vetted sub-processors under data processing terms, with appropriate safeguards such as Standard Contractual Clauses for any transfers outside the EU.
Where we stand on the EU AI Act
We have assessed Nance against the EU AI Act. Nance supports finance teams with accounting and ERP data for businesses. It does not score the creditworthiness of individuals or make the kinds of decisions the Act treats as high risk, so we operate Nance as a limited risk AI system.
For that category we focus on the obligations that apply:
- Transparency. It is always clear that you are working with an AI assistant, and we mark output that Nance generates.
- Human oversight. Consequential actions require human approval, and people can review, correct or override what Nance does.
- AI literacy. Our team is trained to understand the capabilities and limits of the systems we build and operate.
We track how the AI Act and its standards develop, including work on AI management systems, and we adjust our practices as the rules take effect.
Reporting a security issue
If you believe you have found a security vulnerability in Nance, we want to hear from you. Please contact our team and we will work with you to resolve it. We ask that you give us a reasonable opportunity to respond before any public disclosure.
[email protected]