View .md

Security & your data

How CorpSec AI protects sensitive personal data, why the audit trail can never be edited, and how you can export everything you hold at any time — no lock-in.

CorpSec AI product guide·Updated 2026-07-11

Sensitive data is masked everywhereLive

Identity numbers are never shown in full. Across the screen, in exports, and in anything the AI sees, an NRIC / FIN / passport number is masked to its first character and last four digits — for example S1234567A becomes S****567A. This means even the AI that drafts your documents never handles a raw identity number.

An officer record showing a masked ID number like "S****567A".

Encryption at restLive

The most sensitive fields on an officer record — the identity number, address and email, plus sensitive answers in client forms — are designed to be encrypted at rest using strong, per-firm keys (AES-256-GCM envelope encryption). Each encrypted value is tied to your firm, so it cannot be moved or replayed elsewhere.

Note

Encryption switches on when your firm’s encryption key is provisioned; until then those fields are stored as-is. Masking, however, is always on regardless. If encryption at rest is a procurement requirement for you, confirm your key is provisioned.

An audit trail that cannot be editedLive

Every meaningful action — a document generated, a status changed, a company created, a firm renamed, a KYC gate blocking a document — is written to an audit log. You can read it in Settings → Audit Log or the right panel’s Activity tab.

Crucially, the log is append-only. Records can be added but never changed or deleted — and this is enforced at the database level, not merely by the app. That gives you a tamper-evident history you can stand behind in an inspection.

The Audit Log table: Time, Action, User and Details columns, newest first.

Export everything — no lock-inLive

Your data is yours. An admin can export the entire firm from Settings → Account → Export firm data. Three shapes are available:

  • JSON — a full snapshot: companies, officers, tasks and their workflow state, KYC dossiers, invoices and billing, fee schedule, documents and an audit summary.
  • CSV — the ACRA-style registers of companies and officers.
  • ZIP — the JSON and CSVs plus every generated document file, with a manifest of what is included.
Note

By default, identity numbers in exports are masked. An admin can produce an unmasked export with an explicit confirmation step — and that stronger export is itself recorded in the audit log.

Inspection evidence packLive

CorpSec AI assembles a regulator-ready evidence pack — a cover attestation, each company’s CDD dossier, a firm summary, and an integrity manifest that lets a third party re-verify nothing was altered, with honest flags wherever screening was on demo data.

It is available today from Settings → Inspection Pack (admin only). Choose the pack type — ACRA CSP AML/CFT, PDPC data protection, or general due-diligence — and generate the bundle in one action. The full JSON / ZIP data export above remains available for a raw snapshot.

Note

The Prepare for an ACRA inspection playbook walks you through using the inspection pack step by step.

Where your data is hosted

CorpSec AI hosts data in Singapore. For the full security and privacy posture — sub-processors, retention and the data-processing agreement — see the Security and Privacy pages.

Frequently asked questions

Can anyone tamper with the audit log?

No. It is append-only and the database itself refuses to update or delete entries. New records can be added, but history cannot be rewritten.

Is my data encrypted?

Sensitive identity fields are masked everywhere and are encrypted at rest when your firm’s encryption key is provisioned. Data is hosted in Singapore.

What if I want to leave?

Export everything at any time — JSON, CSV, or a ZIP that includes all your generated documents. There is no lock-in.

Does the AI see clients’ NRIC numbers?

No. Identity numbers are masked before they ever reach the AI; the real number is only re-applied inside the final legal document, server-side.

This is a product guide for CorpSec AI. Where a feature runs on demo data or is not yet released, it is labelled as such. Compliance references are general information for Singapore corporate service providers, not legal advice.

Was this helpful?