The most private AI for advisers.
From encryption to access management, Obsidian enforces rigorous standards to keep your clients' data secure, private, and compliant.
GDPR
We operate under GDPR — the world's strictest standard for data privacy — ensuring your clients' data is handled with the highest level of care.
SOC 2 Type 2
We are working towards SOC 2 Type 2 certification to ensure secure and compliant management of data across all our systems.
ISO 27001
We are working towards ISO 27001, the internationally recognised standard for information security management.
ISO 22301
We are working towards ISO 22301 to ensure your data remains protected and accessible, even in the event of disruption.
Trusted data handling
One subprocessor for client data
All AI processing happens within Obsidian's own infrastructure. Unlike providers that route your data through multiple third-party services, we keep everything under one roof.
No meeting bot
Obsidian captures meetings through system audio on the adviser's own device. No bot joins the call, and no third party ever hears the conversation.
Built entirely in-house
Every part of our technology stack is built and operated by Obsidian. There is no third-party middleware, and your clients' data never leaves our controlled infrastructure.
Enterprise-grade security
Mandatory 2FA
Every user is required to authenticate with two factors on every login — a standard we enforce without exception.
Role-based access
Access to data is strictly controlled. Advisers, paraplanners, and administrators each see only the information relevant to their role.
Built by experts
Our engineering and security teams come from Revolut, BlackRock, JPMorgan, and Parmenion — organisations where data protection is not optional. That experience is embedded in every architectural decision we make.
Regular security audits
Encryption
All data is encrypted in transit using TLS 1.2 or higher, and at rest with AES-256 encryption. Sensitive fields such as meeting notes and emails receive additional field-level encryption.
Penetration testing
We take a proactive approach to security testing. An AI pen tester reviews every code change, weekly automated scans run across the platform, and an independent external pen test is conducted annually.
Hosting & residency
All data is hosted on AWS in the EU (London region), within Obsidian's own controlled infrastructure. Your data never leaves this environment.
Frequently asked questions
FAQ
Protecting your clients' data is at the core of everything we build. All client data — meetings, transcripts, CRM records, and documents — is processed and stored within Obsidian's own AWS infrastructure. We use a single subprocessor for client data and do not route it through multiple third-party AI services.
No. Obsidian captures meetings through system audio on the adviser's own device. No bot joins the call, and clients never see a third party in their meeting. This approach means your conversations remain private by design.
No. Your clients' data is never used to train, fine-tune, or improve any AI models. Obsidian and its service providers do not use your data for model training. Data can be deleted upon request at any time.
No. All AI processing happens within Obsidian's own infrastructure. Model providers have no access to client data at any point.
All data is hosted on AWS in the EU (eu-west-2, London region). There is no third-party middleware involved, and no data leaves Obsidian's controlled environment.
Protecting your data is our top priority. All data is encrypted in transit using TLS 1.2 or higher, and at rest with AES-256 encryption. Sensitive fields such as meeting notes and emails receive additional field-level AES-256-GCM encryption for an extra layer of protection.
We take a proactive approach to security. An AI pen tester reviews every code change before it reaches production. Weekly automated penetration testing runs across the entire platform, and an independent external human penetration test is conducted annually.
For Obsidian's practice management platform, once your contract ends, all of your data — along with any dedicated storage resources associated with your account — is permanently deleted. Before this happens, you'll have the opportunity to request a full export of your data to ensure you retain everything you need. Where Obsidian Securities Limited acts as custodian under a triparty agreement, data is retained in accordance with regulatory obligations.
Transparency