- Trust & Security

Calm with your data.

You are giving us a complete view of your financial life. We take that seriously. Your data lives in encrypted UK storage, we never see your credentials, we never sell, share, or train on your numbers, and we draw a clean FCA line on every answer.

Your data FCA boundary Standards & audit Security disclosure Trust principles
- Your data

Where it lives.
Who can see it.

Encrypted at rest in UK datacentres. Encrypted in transit. Access scoped per user, audited, and logged. Phase 1 ingestion is via files you upload to us (CSV / scan / manual) - we don't yet hold any live bank connection. Phase 2 Open Banking (2027 H1) will use an FCA-authorised AISP - read-only, bank-grade, never holding your bank passwords or card details.

UK data residency

Your data stays in UK datacentres. No cross-border transfers without explicit consent.

Encryption at rest + in transit

AES-256 at rest. TLS 1.3 in transit. Per-user keys for sensitive fields.

No credential storage

Phase 1 uses files you upload - no bank credentials touched at all. Phase 2 Open Banking will use the bank's own consent flow via an FCA-authorised AISP. We never hold your bank passwords or card details.

No data sale or share

We don't sell or share your data with anyone. Not advertisers, not data brokers, not anyone.

No AI training on your data

Your numbers are not used to train any model. Period.

Delete on request

One click. Full export then full deletion. We confirm in writing within 24 hours.

The FCA boundary
What we say. What we won't.
Sonuswealth is operated by MBKR Limited. We provide information and guidance to help you understand your own financial picture. We are not authorised by the Financial Conduct Authority and we do not give regulated financial advice. Every Ask reply, every Decision Engine output, every Risk note shows the rule, the source, the assumption and the consequence — never a recommendation. If you need a personal recommendation about a specific product or transaction, find an authorised adviser on the FCA Register at register.fca.org.uk.
FCA status
Not regulated, by design.
We are not FCA-authorised because we don't give regulated advice, hold money, or execute trades. The boundary is permanent — not a phase we're growing out of.
Open Banking
Phase 2 — 2027 H1 — via FCA-authorised AISP.
Phase 1 ingestion is via uploads (no live bank connection). Phase 2 will add Open Banking via an FCA-authorised AISP partner — bank-grade, read-only.
- Standards & audit

The certifications we hold and the ones we're working towards.

We don't market certifications we don't have. Here's where we are today and what we're working towards - dated, honest, updated as we move.

GDPR + UK GDPR

Fully compliant. ICO-registered data controller. DPA in place with every sub-processor.

Open Banking AISP - Phase 2

Phase 2 (2027 H1). Via FCA-authorised AISP partner. PSD2-compliant rails. Read-only access, bank-grade. Phase 1 has no live bank connection - only uploads.

ISO 27001 - in progress

Information Security Management certification. Target audit: 2026 H2.

SOC 2 Type II - planned

For practice-mode partners (firms). Scoped for 2027.

Quarterly penetration testing

Independent third-party pen-test every quarter. Reports published in summary.

Cyber Essentials Plus

UK NCSC certification scoped. Target completion: end of 2026.

- Found something

Security disclosure.

Found a security issue We will respond within one business day. Write to hello@sonuswealth.com. We follow responsible-disclosure conventions and credit reporters publicly with their permission.

Response time

One business day for acknowledgement. Triage and fix timeline disclosed within five.

Scope

Production endpoints, customer-data handling, file-upload + OCR pipelines, auth flows. Open Banking integrations added to scope from Phase 2.

Out of scope

Marketing site, third-party rate-limits, theoretical attacks without working PoC.

Recognition

Public credit on this page, with your permission. Bug-bounty program in 2026.

- Trust principles

The promises, written down.

Six commitments. Permanent. In the company's articles and the architecture.

01
Not a broker.
We will never execute trades for you. We will never hold your money.
02
Not an adviser.
We will never give regulated advice. The FCA boundary is permanent.
03
Not a marketplace.
We will never sell you a pension, ISA, mortgage, or insurance. No referral fees, ever.
04
Not a data business.
Your numbers are yours. We don't sell, share, or train on them.
05
Not a black box.
Every number, projection, and score is tappable. Every calculation visible.
06
Not a chatbot wrapper.
Ask is an answer engine built on your numbers - not a generic LLM with a finance prompt.

Comfortable? Join the waitlist.

Get early access
v0.4 site