1 Security
2 Certification Coverage Matrix
- 2.1 Country Specific Requirements
  - 2.1.1 🇺🇸 United States
  - 2.1.2 🇬🇧 United Kingdom
  - 2.1.3 🇸🇬Singapore
3 Compliance
- 3.1 FINMA

At UNIQUE, the foremost objective is to build and execute the most secure GPT-based solutions for the financial services industry (FSI) and emerge as a leading partner for GPT-driven use cases in this sector. Ensuring the security of sensitive data entrusted to financial services customers is UNIQUE's leading commitment. Therefore, we prioritize the security and resiliency of their IT systems, applications, and business processes.

Unique closely partners with Microsoft to offer GenAI solutions in a secured and controlled environment: when working with Unique and using Microsoft Azure OpenAI Services, users are using an enterprise and private instance of OpenAI's ChatGPT packaged and hosted by Microsoft across our operational regions including Switzerland, the United States, and the United Kingdom (prompts and answers are not shared with OpenAI nor Microsoft; to be precise: Microsoft processes the data but never stores the data).

We foster a highly secure IT setup and adhere to the principle of data minimization, incorporating the most robust compliance setup possible in the industry. This proactive approach enables us to reduce any potential misuse of credentials, securely store and manage client data, adhere to the highest privileged access standards, and respond swiftly to emerging threats. Systems are designed to provide exceptional resistance to data exfiltration, and the UNIQUE team recognizes that security has to be integrated across the company within the development lifecycle, IT operations, and business processes.

Read more about our Secure Software Development Lifecycle.

Unique's proactive stance includes a robust bug bounty program, inviting skilled penetration testers to help fortify our defenses. Our foundation in Swiss and EU regulatory frameworks, known for their stringent data protection requirements, allows us to exceed compliance standards in all our markets, including the US and UK. By applying these rigorous Swiss and European standards across our global operations, we ensure comprehensive compliance with local regulations while providing an enhanced level of data protection for all clients. This commitment to security is further solidified by our ISO 9001 and ISO 27001 certifications, reflecting our dedication to quality management and information security excellence. Since January 2025, we are also SOC2 Type 2 certified, a testament to our internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data. Additionally, our ISO 42001 compliance demonstrates our adherence to international standards for artificial intelligence management systems, ensuring responsible AI governance, transparency, and risk management throughout the lifecycle of our GenAI solutions.

Security

Unique AI is built with security in mind:

At Unique, we're proud to be ISO-9001 compliant, a testament to our commitment to quality and continuous improvement. Our processes are streamlined and customer-focused, ensuring top-tier service and reliability.

Unique proudly upholds the ISO-27001 standard, demonstrating our unwavering commitment to information security management. Safeguarding data and ensuring privacy are at the heart of what we do.

Unique successfully attained their SOC 2 Type II Certification which focuses on robust data protection, emphasising security, availability, processing integrity, confidentiality, and privacy within service organisations.

Unique is under the authority of the FINMA and complies with Circulars such as the 2018/3 and the 2023/1.

Since 2025, we are certified with ISO 42001. It specifies the requirements for establishing, implementing, maintaining, and continually improving an AI Management System within an organization.

Certification Coverage Matrix

Controls	SOC 2 Type 2	ISO 27001	ISO 9001	ISO 42001	🇪🇺-GDPR 🇨🇭-nFDAP

Controls	SOC 2 Type 2	ISO 27001	ISO 9001	ISO 42001	🇪🇺-GDPR 🇨🇭-nFDAP
Data Security Controls	✅ Strong	✅ Strong	🔷Complementary	🔷Complementary	✅ Strong
AI Model Governance	🔷Complementary	🔷Complementary	🔷Complementary	✅ Strong	⚪️n/a
Business Continuity & Disaster Recovery	✅ Strong	✅ Strong	🔷Complementary	⚪️n/a	🔷Complementary
Financial Data Privacy	✅ Strong	✅ Strong	⚪️n/a	⚪️n/a	✅ Strong
Risk Assessment	✅ Strong	✅ Strong	🔷Complementary	⚪️n/a	✅ Strong
Third-Party Risk Mgmt	✅ Strong	✅ Strong	🔷Complementary	🔷Complementary	✅ Strong
Access Controls	✅ Strong	✅ Strong	🔷Complementary	🔷Complementary	✅ Strong
Audit Trails & Logging	✅ Strong	✅ Strong	🔷Complementary	🔷Complementary	✅ Strong
Change Management	✅ Strong	✅ Strong	✅ Strong	🔷Complementary	🔷Complementary
AI Explainability	⚪️n/a	⚪️n/a	⚪️n/a	✅ Strong	⚪️n/a
Data Retention & Disposal	🔷Complementary	✅ Strong	🔷Complementary	⚪️n/a	✅ Strong
Incident Response & Breach Notification	✅ Strong	✅ Strong	⚪️n/a	⚪️n/a	✅ Strong
Data Classification	✅ Strong	✅ Strong	🔷Complementary	🔷Complementary	✅ Strong
Asset Management	✅ Strong	✅ Strong	🔷Complementary	🔷Complementary	✅ Strong

Country Specific Requirements

While Unique operates as a technology provider rather than a regulated financial institution, we've intentionally designed our compliance framework to align with the regulatory requirements our financial services clients face. Although we don't fall directly under the authority of most financial regulators (such as the SEC, FCA, MAS, or FINMA), we've built our security standards, data protection protocols, and AI governance systems to meet or exceed these regulatory expectations. This proactive approach ensures that working with Unique presents minimal regulatory friction for banks and other financial institutions. Our comprehensive certifications (ISO 27001, ISO 9001, ISO 42001, and SOC 2 Type 2) serve as independent validation that our controls satisfy or even exceed the requirements financial regulators impose on our clients. The following matrices map our existing compliance frameworks to specific regulatory considerations in each of our key markets, to demonstrate how our purpose-built approach enables smooth collaboration with heavily regulated financial institutions worldwide.

🇺🇸 United States

Regulatory Focus	Primary Certification	Explanation

Regulatory Focus	Primary Certification	Explanation
SEC AI/ML Guidance	ISO 42001	Focuses on transparency and risk controls.
OCC Third-Party Risk	SOC 2 Type 2	Banking regulator requirements for managing technology vendor risks and ensuring proper due diligence.
Model Risk (SR 11-7)	ISO 42001	Federal Reserve guidelines for model validation, requiring testing and documentation of AI models.
Bank Service Company Act	SOC 2 Type 2	Requires banks to notify regulators about service providers; Unique support their compliance obligations
Gramm-Leach-Bliley Act (GLBA)	SOC 2 + ISO 27001	Financial privacy law requiring protection of customer financial information and privacy notices
NY SHIELD Act	ISO 27001 + GDPR compliance	New York's cybersecurity law requiring robust security programs and specific breach notifications
US Cloud Act	ISO 27001 + SOC 2	Allows US authorities to request data stored on US servers, even if for non-US customers

🇬🇧 United Kingdom

Regulatory Focus	Primary Certification	Explanation

Regulatory Focus	Primary Certification	Explanation
Financial Services and Markets Act 2000	ISO 27001 + ISO 42001	The primary legislation for financial services regulation in the UK; FS must ensure technology solutions comply with their obligations under this Act
FCA SYSC 8	SOC 2 Type 2	FCA rules governing how financial firms outsource critical functions to vendors like Unique. It focuses on operational resilience.
UK GDPR (Financial Data)	GDPR & nFDAP compliance	UK version of GDPR with specific implications for handling financial customer data and ensuring proper consent.
FCA AI Transparency	ISO 42001	FCA expectations for transparency in AI decision-making.
PRA Outsourcing	SOC 2 + ISO 27001	Bank of England's Prudential Regulation Authority requirements for resilience of outsourced services
PRA Rulebook	SOC 2 + ISO 27001	Rules for prudential regulation of banks and insurers; impacts the operational resilience and third-party risk management requirements of FS

🇸🇬Singapore

Regulatory Focus	Primary Certification	Explanation

Regulatory Focus	Primary Certification	Explanation
Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines	ISO 27001 + ISO 42001	MAS's expectations for technology risk management; includes AI systems used by financial institutions
MAS Fairness, Ethics, Accountability & Transparency (FEAT) Principles	ISO 42001	MAS guidelines specifically for AI and data analytics in financial services; focuses on responsible AI use
MAS Outsourcing Guidelines	SOC 2 Type 2 + ISO 27001	Requirements for financial institutions when outsourcing technology services to third parties like us
Banking Act (Third Party Outsourcing)	SOC 2 Type 2	Requires banks to manage risks from technology service providers
Singapore AI Governance Framework	ISO 42001 + AI Governance	National voluntary framework for responsible AI development; demonstrates ethical AI practices
Personal Data Protection Act (PDPA)	GDPR Compliance + ISO 27001	Singapore's data protection framework governing the collection, use, and disclosure of personal data; less stringent than GDPR but similar principles

Compliance

We are fully compliant with all major regulatory bodies in Switzerland, EU, UK, US, and Singapore.

Unique was built on the principles of Privacy by Design and Privacy by Default. The two principles are grounded on the new Act on Federal Data Protection (nFADP) that has been in the legislature from 1. September 2023 with the first one requiring developers to integrate the protection and respect of user’s privacy into the very structure of the products or services that collect personal data. The latter ensures the highest level of security as soon as the products or services are released, by activating by default which means that all software, hardware, and services must be configured to protect data and respect the privacy of users (Art. 7 para. 1 FADP).

Read more about our Compliance Layer: Compliance Layer 2.0

FINMA

As Unique operates in the Banking sector, we are under the authority of the Swiss Financial Market Supervisory Authority (FINMA) and therefore, comply with the relevant Circular and other regulations at all times.

In particular, we have established verifiable internal controls to comply with security regulations and procedures. For each service, we agree on and apply suitable organisational and technical measures to protect data against unauthorised processing. This ensures data accessibility, confidentiality, safety, availability, and integrity.

For all FINMA-relevant, significant outsourced functions a description of the outsourced function, its provider (including any sub-contractors) and the recipient as well as the responsible party are maintained in the inventory.

Read the circular: FINMA Circular 2018/3

Furthermore, we have dedicated policies and procedures concerning the segregation of duties, risk management and internal controls.

Read the circular: FINMA Circular 2023/1

Author	@Daylan Araz

Public Documentation

Security, Compliance & Data Protection

Analytics