Resources · Security

Built for the firms that cannot afford to get this wrong.

SOC 2 Type II. Tenant isolation. No training on your data. The CCO's documentation, written by someone who's been a CCO.

SOC 2 Type II

Annually audited by Schellman & Co.

AES-256 at rest

TLS 1.3 in transit. Per-tenant keys.

US-hosted on Azure

East-US-2 / West-US-3. EU residency available.

No model training

Customer data never enters foundation model training sets.

Data handling

Tenant model: Each customer firm runs in a dedicated logical tenant with isolated storage, isolated vector indexes, and isolated retrieval surfaces. No cross-tenant queries are possible at the platform level.
Read-only by default: All custodial, accounting, and CRM integrations are read-only. Drift never writes to a system of record without an explicit, scoped, audited write grant.
Retention: Documents and conversation history are retained per the customer's policy (default 7 years for compliance). Customers can purge any record on request; deletions propagate within 24 hours.
Backups: Encrypted point-in-time backups every 6 hours, retained 35 days. Backup restores are logged and require dual approval.

At rest: AES-256-GCM. Per-tenant data encryption keys, wrapped by a master key in Azure Key Vault HSM (FIPS 140-2 Level 3).
In transit: TLS 1.3 enforced on all customer and integration endpoints. Internal service-to-service communication uses mTLS.
Key rotation: Master keys rotated annually. Per-tenant keys rotated on demand or on a customer-defined schedule.

SSO: SAML 2.0 and OIDC supported. Okta, Microsoft Entra, Google Workspace tested.
MFA: Required for all admin actions. Phishing-resistant (WebAuthn/FIDO2) supported and recommended.
RBAC: Per-firm role definitions. Permission grants are versioned and reviewable.
Audit log: Every read, write, prompt, and approval is logged with actor, timestamp, source IPs, and result. Logs are immutable and exportable.

No training on customer data: Drift does not use customer data to train, fine-tune, or improve any foundation model — ours or our vendors’.
Inference isolation: Inference requests run against zero-retention model endpoints. No prompts or responses are retained by the model provider.
Source-grounded outputs: Every model output is grounded in retrieved customer documents. Sources are cited inline; ungrounded claims are surfaced as such.

Microsoft Azure: Primary infrastructure (compute, storage, identity).
Anthropic & OpenAI: Foundation model inference. Both contracted under zero-retention enterprise terms.
Datadog: Operational telemetry. No customer document content transmitted.
Vercel: Marketing-site hosting only. No customer data.

SOC 2 Type II: Continuous since 2025. Latest report available under NDA.
SEC / FINRA-aligned: Controls mapped to Reg S-P, Reg S-ID, FINRA 4511 books-and-records requirements.
GLBA: Safeguards Rule controls in place. Annual risk assessment.
HIPAA / state privacy: Available on enterprise plans where applicable.

24/7 on-call: Engineering and security paired rotation. Mean time to acknowledge under 15 minutes.
Customer notification: Confirmed security incidents communicated to affected customers within 24 hours.
Postmortems: Public postmortems for any incident affecting more than one customer. Internal-only postmortems shared with affected customers under NDA.

For procurement

SOC 2 report, sub-processor list, DPA, and standard responses to RIA and bank security questionnaires.