Your pipeline. Your reputation.
Locked down.
Your borrower's trust is your pipeline. LoanIQ treats every row in the database like a borrower is looking over your shoulder — because that's what your job depends on.
Six load-bearing controls.
Per-user data isolation
Every scenario, client, and comparison is gated by Firestore security rules keyed to your user ID. Another LO cannot read your data even if they know the document path. This is enforced server-side, not at the UI layer.
Encryption in transit & at rest
TLS 1.3 for every request. At rest, data is encrypted with Google-managed AES-256 keys (Firebase / Cloud Storage default). Pinecone and Stripe apply the same standard. Nothing unencrypted touches disk.
Your data is never used for AI training
Anthropic does not train on data sent through the API. LoanIQ does not log or store borrower inputs beyond what's required to render your current session. Your scenarios, files, and chat history are yours.
AI governance — Fannie Mae LL-2026-04
Lola operates under a written AI governance policy modeled on Fannie Mae Lender Letter LL-2026-04. Every assistant response carries a confidence score and must cite retrieved guideline context. No hallucinated guidelines.
Shared links are snapshots, not live data
Borrower-facing Loan Comparison links load from a signed snapshot document — not your live scenario. Borrowers can't traverse from a share link back into your pipeline. Snapshots expire on demand.
PCI — handled by Stripe
LoanIQ never touches payment card data. Billing goes directly to Stripe Checkout and the Stripe Customer Portal, both PCI-DSS Level 1 certified. Your card number is not in our database.
Our subprocessors are audited so we don't have to reinvent it.
LoanIQ runs on Google Cloud (Firebase) with Anthropic for AI, Pinecone for vector search, and Stripe for billing. Each carries independently audited compliance.
Google Cloud / Firebase
SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, HIPAA-eligible, FedRAMP High.
Anthropic
SOC 2 Type II, zero-retention enterprise option, no training on API data by default.
Pinecone
SOC 2 Type II, ISO 27001. Deployed on AWS with VPC isolation.
Stripe
PCI-DSS Level 1, SOC 1, SOC 2 Type II, ISO 27001. All card data tokenized.
Security, answered.
Is LoanIQ SOC 2 certified?
LoanIQ as an application is not independently SOC 2 certified yet — that's a roadmap item. However, our full infrastructure stack (Firebase / Google Cloud, Anthropic, Pinecone, Stripe) is SOC 2 Type II audited, which covers the material data-handling surface.
For enterprise deals that require a formal attestation, reach out — we can share subprocessor reports and our internal security posture documentation on NDA.
Where is my data stored?
Firestore primary region is us-central1 (Iowa). Cloud Storage for borrower branding assets in the same region. Pinecone index is in AWS us-east-1. All subprocessors comply with US data residency.
If your deployment requires EU data residency, let us know — a dual-region option is on the roadmap.
How long is my data retained?
Active account data is retained as long as your subscription is active. On cancellation, we retain data for 90 days in case you reactivate, then it is permanently deleted. Export tools are available on request — you can pull all your scenarios and clients out as JSON anytime.
What happens if there's a breach?
We maintain an incident response protocol that includes 72-hour notification for any event affecting your data, forensic review, and regulatory reporting where applicable (ECOA, state breach-notification laws). No breaches to report to date.
Does Lola train on my borrower's data?
No. Anthropic's API does not train on API-supplied data by default, and LoanIQ does not operate any training infrastructure of its own. Your scenarios, files, and chat inputs are not ingested into any model.
What we do index in Pinecone is published lender/agency/investor guideline content (Fannie Mae Selling Guide, FHA Handbook, non-QM lender matrices, etc.). That's public mortgage reference material — not borrower data.
Can I request deletion of my borrower's data?
Yes. Under CCPA and similar state laws, borrowers (or LOs on their behalf) can request deletion of specific client records. Email austen@austensmith.com with the client name and we'll confirm deletion in writing within 30 days.
Still have security concerns?
Every LoanIQ team has a direct line to Austen. No ticket queue.