Trust & Governance

Security & AI Governance

Explicit commitments for finance teams evaluating AI vendors. Only claims that are true for Engerman today.

Data Control

Your data is not used to train public models by default. You control retention and access.

Traceability

Every narrative links to source data, timestamps, and approval history.

Hallucination Containment

The system does not guess. If evidence is missing, it asks or abstains.

Access Controls

Data isolation between customers enforced by design. PII masked by default.

AI Governance

AI Governance Framework

How we use AI

  • AI is scoped to specific, constrained tasks: variance analysis and narrative generation.
  • AI does not make decisions. It drafts explanations that humans review and approve.
  • Every AI-generated claim must cite source data from the customer's GL export.
  • The system uses Claude (Anthropic) with structured prompts at low temperature for factual consistency.
  • Fallback chain: retry with same model, upgrade to higher-capability model, fall back to manual generation, escalate to human writing.

Hallucination policy

We don't guess; we cite, or abstain.

  • When evidence is insufficient, the system flags uncertainty rather than fabricating explanations.
  • Every output goes through human QA review before delivery.
  • No memo is delivered without human sign-off.

Model governance

  • Model selection is documented per generation run.
  • Token usage, prompt versions, and response metadata are logged.
  • Model changes are tested against historical outputs before deployment.

Data Controls

Data Controls

Training stance

  • Customer data is not used to train public models by default.
  • We process your data to generate your memo — nothing more.
  • No opt-in training without explicit written consent.

Data boundaries

  • Read-only access to accounting systems. We never write back.
  • Customer data is isolated by design (namespace separation).
  • No cross-client state access is possible by design.

Retention

  • You control data retention periods.
  • Data deletion available on request.
  • Processing artifacts (validation reports, analysis checkpoints) retained per your DPA terms.

Access controls

  • RBAC with least-privilege access.
  • SSO integration available.
  • PII masked by default in reviewer UI.
  • Audit logs for all data access.

Compliance

Infrastructure & Compliance

Encryption

AES-256 at rest. TLS 1.2+ in transit.

Processing

Secure file intake with injection scanning.

Audit trail

Every action logged: data upload, validation, generation, review, approval, delivery.

DPA

Data Processing Agreement available for all customers.

SOC 2

SOC 2 Type II certification in progress.

We are building toward SOC 2 Type II. Contact us for our current security posture documentation.

Procurement

Procurement Accelerator

Start Security Review

Share your security questionnaire and we will complete it within 5 business days.

Start Security Review

Request Documentation

DPA template, security posture summary, subprocessor list, incident response process.

Request SOC 2 / DPA

Ready to see your data in a board memo?

Get a sample variance memo from your own GL export, or book a 20-minute evaluation with our team.

See Sample Output Book 20-min Evaluation