Security & your data
How CorpSec AI protects sensitive personal data, why the audit trail can never be edited, and how you can export everything you hold at any time — no lock-in.
Sensitive data is masked everywhereLive
Identity numbers are never shown in full. Across the screen, in exports, and in anything the AI sees, an NRIC / FIN / passport number is masked to its first character and last four digits — for example S1234567A becomes S****567A. This means even the AI that drafts your documents never handles a raw identity number.
Encryption at restLive
The most sensitive fields on an officer record — the identity number, address and email, plus sensitive answers in client forms — are designed to be encrypted at rest using strong, per-firm keys (AES-256-GCM envelope encryption). Each encrypted value is tied to your firm, so it cannot be moved or replayed elsewhere.
Encryption switches on when your firm’s encryption key is provisioned; until then those fields are stored as-is. Masking, however, is always on regardless. If encryption at rest is a procurement requirement for you, confirm your key is provisioned.
An audit trail that cannot be editedLive
Every meaningful action — a document generated, a status changed, a company created, a firm renamed, a KYC gate blocking a document — is written to an audit log. You can read it in Settings → Audit Log or the right panel’s Activity tab.
Crucially, the log is append-only. Records can be added but never changed or deleted — and this is enforced at the database level, not merely by the app. That gives you a tamper-evident history you can stand behind in an inspection.
Export everything — no lock-inLive
Your data is yours. An admin can export the entire firm from Settings → Account → Export firm data. Three shapes are available:
- JSON — a full snapshot: companies, officers, tasks and their workflow state, KYC dossiers, invoices and billing, fee schedule, documents and an audit summary.
- CSV — the ACRA-style registers of companies and officers.
- ZIP — the JSON and CSVs plus every generated document file, with a manifest of what is included.
By default, identity numbers in exports are masked. An admin can produce an unmasked export with an explicit confirmation step — and that stronger export is itself recorded in the audit log.
Inspection evidence packLive
CorpSec AI assembles a regulator-ready evidence pack — a cover attestation, each company’s CDD dossier, a firm summary, and an integrity manifest that lets a third party re-verify nothing was altered, with honest flags wherever screening was on demo data.
It is available today from Settings → Inspection Pack (admin only). Choose the pack type — ACRA CSP AML/CFT, PDPC data protection, or general due-diligence — and generate the bundle in one action. The full JSON / ZIP data export above remains available for a raw snapshot.
The Prepare for an ACRA inspection playbook walks you through using the inspection pack step by step.
Where your data is hosted
CorpSec AI hosts data in Singapore. For the full security and privacy posture — sub-processors, retention and the data-processing agreement — see the Security and Privacy pages.
Frequently asked questions
Can anyone tamper with the audit log?
No. It is append-only and the database itself refuses to update or delete entries. New records can be added, but history cannot be rewritten.
Is my data encrypted?
Sensitive identity fields are masked everywhere and are encrypted at rest when your firm’s encryption key is provisioned. Data is hosted in Singapore.
What if I want to leave?
Export everything at any time — JSON, CSV, or a ZIP that includes all your generated documents. There is no lock-in.
Does the AI see clients’ NRIC numbers?
No. Identity numbers are masked before they ever reach the AI; the real number is only re-applied inside the final legal document, server-side.
This is a product guide for CorpSec AI. Where a feature runs on demo data or is not yet released, it is labelled as such. Compliance references are general information for Singapore corporate service providers, not legal advice.