Ocrolus Security, Compliance, & Privacy

Our Security, Compliance, and Privacy programs ensure that our customers can rely on Ocrolus to safely and securely make higher-quality lending decisions with AI-driven document automation.

Security at Ocrolus

Ocrolus maintains a security program designed to protect our customer’s data with industry best practices that cover all of our products, services, infrastructure, operations, and assets. Ocrolus follows security principles such as:

  • Architect and Design for Security
  • Favor Simplicity
  • Principle of Least Privilege
  • Separation of Duties
  • Need to Know
  • Defense in Depth
  • Encrypt Everything At Rest and In Transit
  • Secure Defaults
  • Secrets Management
  • Fail Securely
  • Do Not Trust Input

Product Security

Product Security is embedded into every step of our product-led engineering agile development process. We perform design reviews, code reviews, end-to-end pentesting, independent assessments, continuous vulnerability scanning, and more on all of our code and infrastructure to ensure that our products and services are secure and your data stays confidential. Contact your Customer Success Manager or Account Executive to learn more.

Security Operations

Security Operations monitors all activity on Ocrolus’ customer-facing products and infrastructure, as well as on all of Ocrolus’ enterprise and IT systems. Our Security Operations program ensures that any malicious or suspicious activity is investigated and resolved, so that your data stays secure from sophisticated and common adversaries alike. Contact your Customer Success Manager or Account Executive to learn more.

Threat Intelligence

Ocrolus is continuously monitoring for compromised credentials and targeted attacks that affect our customers. If we ever discover something that affects you, our Security team will reach out with the information and the recommended steps to remediate. Contact your Customer Success Manager or Account Executive to learn more.


Compliance at Ocrolus

Ocrolus’ Compliance program is designed to ensure that Ocrolus operates within the boundaries of applicable laws, regulations, and industry standards. Ocrolus’ Compliance program helps the company identify and manage risks and define effective, well-functioning controls to meet legal and regulatory requirements, protect sensitive data, and maintain the availability of our products and services for customers.


Ocrolus is certified for the following compliance standards and controls.

A SOC 2, Type II attestation tests controls relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2, Type II is intended to meet the needs of a broad range of customers that need detailed information and assurance about the controls of a service provider.

PCI DSS applies to any organization that processes, stores, or transmits cardholder data, including merchants, service providers, financial institutions, and other entities involved in the payment card ecosystem. PCI DSS compliance ensures the protection of cardholder data during processing.

Please reach out to your Customer Success Manager or Account Executive to receive a copy of Ocrolus’ current SOC 2 report.

security certification logos


Privacy at Ocrolus

Ocrolus has a dedicated Legal and Compliance team to ensure compliance with applicable data privacy laws and regulations across the Ocrolus organization. For more information, see the Privacy FAQ section below.

Ocrolus’ Privacy Program is supported by the people, processes, and technology necessary for protection of customer data in compliance with legal and contractual obligations. Some of the key activities implemented for compliance with privacy regulations are listed below.

Privacy Processes and Controls:

  • Ocrolus provides awareness sessions with all Ocrolus staff on their roles and responsibilities as it relates to privacy and protecting customer data.
  • Ocrolus updates company-wide mandatory security awareness training to include new consumer personal data protection laws and privacy laws.
  • Ocrolus defines and governs data privacy, security, and compliance roles and responsibilities.
  • Ocrolus has established privacy@ocrolus.com for both data subjects and Ocrolus customers to submit requests and exercise their rights.
  • Ocrolus retains competent outside counsel with extensive expertise in privacy and compliance issues to provide ongoing advisory services for legal and privacy compliance.
  • Ocrolus’ Master Service Agreement, as updated from time to time, specifically describes that Ocrolus will comply with all applicable law (including relevant data privacy laws). 
  • Ocrolus establishes and reviews written Data Processing Agreements with any sub-processors of customer data.
  • Ocrolus provides tailored written Data Processing Agreements (or standard contractual clauses) upon request to contracts@ocrolus.com to support customer compliance and validate the transfer of customer data.
  • Ocrolus updates and reviews the Ocrolus Privacy Policy and procedures for compliance with privacy laws, regulations, and principles.

Privacy FAQ

Ocrolus processes the following types of personal data:

  • Name
  • Date of Birth
  • Email
  • Address
  • Bank account number
  • Telephone number
  • Personal ID number
  • Financial transaction data
  • Any other information that might be contained in financial transaction data or any documents processed by the Ocrolus platform.

If you have any questions, please contact your Account Executive, Customer Success Manager, or email compliance@ocrolus.com.

All Personal Information processed by Ocrolus on behalf of its customers is stored by Ocrolus in the United States. Ocrolus does not store Personal Information outside of the United States. On request and as required by applicable law, Ocrolus enters into Data Processing Agreements with Standard Contractual Clauses (or other ad hoc contractual clauses) to provide an adequate level of protection for data transfers in accordance with data protection laws.If you have any questions, please contact your Account Executive, Customer Success Manager, or email compliance@ocrolus.com.

To request a copy of the Ocrolus standard Data Processing Addendum, please email contracts@ocrolus.com.

Yes. Please see the sub-processors page for a list of third parties that process Personal Information provided by Ocrolus customers.

Yes. Please submit requests to your Customer Success Manager, Account Executive, or privacy@ocrolus.com.

To view a copy of the current Ocrolus Privacy Policy, click here.

For more information about Compliance, Legal, or Security at Ocrolus please contact your Customer Success Manager, Account Executive, or email compliance@ocrolus.com.