SOC2
Firmly provides built-in controls for SOC 2 Trust Services Criteria, specifically addressing the unique challenges of AI deployments in investment management. This guide covers how Firmly implements C1.2 (Confidential Information Disposal) and P5.1 (Data Retention) controls for your SOC 2 audit.
SOC 2 Compliance for Investment AI
The Challenge: AI in Investment Management Creates New Compliance Complexity
Traditional SOC 2 audits didn't anticipate AI systems that autonomously process, store, and generate investment data. When your investment AI assistants handle deal discussions, retrieve portfolio data, and generate analysis, you face questions your auditor may not have asked before:
- How do you prove what deal data an AI assistant accessed during an investment discussion?
- When a retention policy deletes investment conversations, how do you document that deletion?
- If an AI processes confidential deal information, how do you ensure proper disposal?
Firmly eliminates that uncertainty by building SOC 2 controls directly into the platform.
Trust Services Criteria Coverage
C1.2: Confidential Information Disposal
"The entity disposes of confidential information to meet the entity's objectives related to confidentiality."
Investment AI assistants process confidential information across multiple touchpoints: analyst queries, deal document retrieval, portfolio analysis, and research generation.
Automated Retention Enforcement
Firmly allows you to configure retention policies per firm and fund for:
- Investment conversations — AI-assisted discussions containing deal information
- Audit logs — Records of investment data access
- Deal documents — Term sheets, financial models, due diligence materials
Retention cleanup runs automatically. When data reaches its retention limit, it is securely deleted and the deletion is permanently documented for audit evidence.
Disposal Documentation
Every deletion generates a permanent record that your auditor can review to verify:
- Disposal occurred according to your documented policy
- No confidential data was retained beyond the defined period
- The disposal process is consistent and automated
P5.1: Data Retention
"The entity retains personal information consistent with the entity's objectives related to privacy."
Investment AI conversations frequently contain sensitive information—deal terms, portfolio positions, and investment theses. Firmly ensures this data is retained only as long as necessary while meeting regulatory and investor requirements.
Configurable Retention Periods
Set retention at the firm level for baseline policy, then override at the fund level for specific requirements. For example:
- Growth Equity Fund — Standard 7-year retention
- Venture Fund — 10-year retention (life of fund + 5 years)
- Co-Investment SPV — Custom retention per investor agreement
Legal Hold Integration
When retention policy conflicts with preservation requirements, legal holds take precedence. Data subject to SEC examination, investor litigation, or internal investigation is excluded from automated retention until the hold is released.
Retention Tracking
Each retention cleanup execution is logged, including counts of what was deleted, what was archived, and what was skipped due to legal holds. This provides explicit evidence that legal preservation requirements override automated retention.
Implementation Checklist
- Define retention policies aligned with SEC books and records requirements
- Configure fund-level overrides where investor agreements differ
- Document retention periods in your information security policy
- Establish process for creating legal holds when preservation is required
- Schedule regular review of retention history
- Export deletion records for audit evidence package
Related Documentation
- SEC Compliance - Investment-specific regulatory requirements
- Audit Trail - Tamper-evident logging
- Legal Holds - Preservation during investigations