Nuvint Intelligence Core — Trust Center

NIC is an adaptive, multi-tenant AI operating layer for community banks and credit unions. It turns loan documents, servicing data, and workflow events into explorable decision lineage, governed automation, citation-backed answers, examiner-ready compliance bundles, and closed-loop core-banking writeback. Nuvint Finance is Azure-first to meet bank and credit union vendor security expectations, while existing app.nuvint.ai access remains on AWS until explicit migration cutover.

This page is generated from the current NIC runtime configuration and is intended for institution vendor-risk teams, security reviewers, and procurement officers.

Last updated: 2026-07-13  |  Source: runtime_configuration

Which Trust Page to Use

nuvint.ai/trust

For website visitors, accelerators, partners, and investors who need a concise overview of Nuvint's security principles and AI governance stance.

finance.nuvint.ai/trust-center

For institution vendor-risk teams that need current product facts, runtime-backed controls, connector coverage, subprocessor details, and compliance roadmap status.

Conflict rule

Operational facts on this product trust profile are authoritative. Public website copy should summarize this page and avoid stronger claims than the runtime profile supports.

Cloud Infrastructure

Primary Cloud

Microsoft Azure — chosen specifically for compatibility with bank and credit union vendor security programs that prefer the Microsoft ecosystem.

Azure Primary
Finance Domain

finance.nuvint.ai — Azure Container Apps, Azure PostgreSQL Flexible Server, Azure Blob Storage, Azure AI Search, Azure Key Vault.

Edge Security

Azure Front Door Premium with Azure WAF (OWASP 3.2 ruleset). DDoS protection via Azure platform controls.

AI Inference

Azure OpenAI Service for tenant-scoped reasoning and embeddings, with citation-oriented guardrails and low-evidence suppression.

Secrets Management

Azure Key Vault with managed identity access. No hard-coded credentials anywhere in the deployment pipeline.

Identity

Microsoft Entra ID OIDC for enterprise SSO. Federated credentials for CI/CD — no long-lived secrets or PATs in GitHub Actions.

Security Controls

YesEncryption in transit (TLS)
YesEncryption at rest (AES-256)
YesMulti-tenant data isolation
YesRole-based access control (RBAC)
YesAudit logging
YesData retention policy engine
Azure Key VaultSecrets / KMS provider

Compliance Roadmap

SOC 2 Type IIn Progress
SOC 2 Type IIPlanned
ISO 27001Planned
Controls marked "In Progress" reflect active work. "Planned" indicates committed roadmap items. This profile does not itself constitute a certification.

Architecture Principles

YesMulti-tenant isolation
YesControl-plane / data-plane separation
YesEvidence-first design
YesGoverned hybrid RAG
YesCalibration-backed reasoning
YesPolicy-driven release gates

Product Capabilities

Evidence-native decision intelligencesupported

NIC turns loan files, memos, workflow events, and citations into traceable decision graphs instead of opaque AI summaries, reducing hallucination risk through source-grounded evidence and low-evidence suppression.

  • citation-backed search and chat
  • decision lineage graph
  • examiner pack decision samples
  • tenant-scoped evidence coverage scoring
AI-powered lending workflowssupported

NIC supports document intake, loan-file readiness, exception triage, decision memos, fraud signals, and core/LOS workflow handoffs as human-controlled decision support, not autonomous approval or denial.

  • loan-file overview and readiness
  • decision memo generation
  • loan exception management
  • core banking writeback approvals
Underwriting + compliance + auditabilitysupported

NIC keeps underwriting support tied to audit logs, adverse-action context, fair-lending analysis, model-risk packaging, and evidence exports.

  • underwriting exception and condition tracking
  • adverse-action and fair-lending summaries
  • audit export packs
  • daily audit hash-chain verification
Real-time insights for credit unionssupported

NIC surfaces tenant-scoped operational, connector, quality, exception, and pipeline signals for lending teams and credit-union operators.

  • pipeline bottleneck insights
  • connector health and reconciliation reporting
  • ops queue telemetry
  • core provider mappings for Jack Henry, Symitar, Fiserv, Corelation, and CU Answers
Governance + metric lineage + explainabilitysupported

NIC exposes guardrail state, calibration thresholds, metric lineage, model inventory, release gates, and explainability artifacts for governed AI operations.

  • guardrail contract signals
  • tenant calibration thresholds
  • metric and decision lineage
  • AI governance release gates
Closed-loop learning for lending teamssupported

NIC captures reviewer feedback, adjudications, quality drift, adaptive candidates, and policy-routed follow-up so lending operations can improve with controls intact.

  • reviewer feedback backlog
  • phase 2 row adjudications
  • quality drift follow-up routing
  • adaptive policy candidate review

Operational Assurance

YesEnterprise OIDC SSO (Microsoft Entra ID)
YesSAML SSO
YesSCIM provisioning
YesAccess review workflows
YesAuth operations alerting
YesEnvironment drift checks
YesExaminer access credentials
YesDecision Lineage Graph
YesExaminer Pack Bundle (NCUA/OCC/FDIC)
YesTenant quality filters
YesLineage suppression follow-up
YesRelease-gate policy automation
YesLOS soak gate closed

AI Evidence Surfaces

decision_lineage_graph

Traces the full evidence chain from decision memos through conditions, exceptions, fraud signals, documents, and loan profiles with audit trail overlay, coverage scoring, calibration-backed thresholds, and low-evidence suppression.

examiner_pack_bundle

One-click NCUA/OCC/FDIC/State-DFI exam artifacts with regulator-specific section requirements, readiness scoring, decision lineage samples, guardrail state, and fraud signal summaries.

fair_lending_monitor

Denial-rate dashboards, protected-class slices, matched-pair analysis, exception-override bias checks, and investigation/attestation workflows.

model_risk_packaging

SR 11-7 model cards, challenger comparisons, backtesting evidence, validation-report packaging, and approval/signoff lifecycle.

compliance_workboard

Cross-surface governance timeline with fair-lending reviews, adverse-action queue pressure, HMDA/CRA posture, and model-risk review status.

Governed RAG Guardrails

Guardrail contractYes
States

ready · needs_review · suppressed

Applied to surfaces

search, chat, phase2_evaluations, decision_lineage_graph, audit_evidence_bundles, examiner_pack_bundle

Signals emitted

evidence_quality, guardrail_state, suppressed, suppression_reason, gate_passed, calibration

Governance Automation

YesQuality drift follow-up routing
YesLineage suppression follow-up
YesRelease gate auto-approve
YesRelease gate auto-hold
YesRelease gate auto-route
YesRelease gate auto-request review
YesTenant-scope quality filters

Core Banking & LOS Connectors

Core banking providers
  • jack_henry
  • symitar
  • fiserv
  • corelation
  • cu_answers
Connector capabilities
  • writeback
  • ingest
  • snapshot_sync
  • field_alias_mapping
Writeback modes
  • dry_run
  • approval_required
  • direct
LOS providers
  • encompass
  • ncino
  • empower
  • meridianlink
  • mcp
  • calyx
  • lendingpad
All core-banking providers support full ingest pipelines (snapshot sync, canonical mapping, field aliases) and production writeback (dry-run, approval-gated, direct) with idempotency, retry, and error mapping.

Data Handling

Data residency

eastus

Data deletion SLA

30 days from request

Retention policy configurableYes
Tenant-scoped storageYes

Access Control

Roles

admin, member, viewer, auditor, platform_admin

UI modes (view separation)

admin, business, auditor

Least privilege guidanceYes
Examiner access credentialsYes

Audit mode is a UI posture. Examination access uses scoped, expiring bearer credentials issued through /v1/admin/tenants/{tenant_id}/examiner-access-credentials.

Audit event: examiner.access_credential.created
Examiner read-only surfaces
  • /v1/audit
  • /v1/audit/export-pack
  • /v1/audit/hash-chain/daily/verify

Incident Response

Detection

Operational alerts, connector failures, and audit anomaly signals.

Response

Containment, investigation, remediation, access review, and tenant impact review.

Notification

Customer communication based on severity and contractual obligations.

Vendor Risk FAQ

Do you support enterprise SSO?configured

Enterprise OIDC and SAML SSO are supported, with tenant-scoped role mapping and manual-role preservation controls.

Do you support SCIM provisioning?Yes

Tenant-scoped SCIM user and group provisioning is supported for enterprise onboarding and lifecycle management.

Do you have audit logs?Yes

Tenant-scoped audit logs capture access, ingestion, governance, workflow, auth-operations, examiner credential issuance, and export-pack activity.

Is auditor mode the same as examiner access credentials?Yes

No. Auditor mode is a read-only UI and route-access posture. Examiner access credentials are separately issued, short-lived bearer credentials tied to an auditor user, purpose-tagged for examination access, and logged with examiner.access_credential.created.

Do you support data residency?Yes

Deployment region is configured as 'eastus'.

Do you encrypt data at rest?Yes

Data at rest uses platform-managed encryption controls.

Which cloud providers do you run on today?Azure Primary

Nuvint Finance is Azure-first on Microsoft Azure. Existing app.nuvint.ai production access remains on AWS during the migration period until explicit cutover approval.

How is AI inference handled?Yes

AI inference is designed around Azure OpenAI Service with tenant-scoped retrieval context, citations, and guardrail states. NIC suppresses or routes low-evidence outputs to review rather than presenting unsupported answers as ready evidence.

Data Flow Summary

sourceingest

documents, transcripts, metadata

ingeststore

parsed text, chunks, audit metadata

storereason

tenant-scoped retrieval context

reasonui

answers, citations, exports

Subprocessors

Microsoft Azureactive

Container runtime, PostgreSQL, Blob Storage, AI Search, Key Vault, Front Door, WAF, and monitoring

Primary cloud platform for Nuvint Finance services and tenant-scoped persistence.Region: East US primary deployment; regional deployment is tenant-configurable
Azure OpenAI Service (Microsoft)active

Model inference and embeddings

Evidence-grounded reasoning, summarization, and document indexing where enabled by tenant policy.Region: Azure tenant deployment region
GitHubactive

Source control and CI/CD

Repository hosting, build, test, and deployment workflow metadata.Region: Provider-managed

Vendor Questionnaire Accelerators

SIG Lite Pre-Answers

SIG-LITE-001ready
How do you isolate customer data?

Tenant-scoped isolation is enforced across retrieval, storage, and audit boundaries.

SIG-LITE-002ready
Do you provide audit logging and evidentiary exports?

Yes. Tenant-scoped audit trails and export packs are available for compliance workflows.

SIG-LITE-003ready
What are your encryption controls?

Encryption is enabled in transit and at rest with environment-configured key management.

CAIQ Mapping

AIS-01SIG-LITE-001

Application & Interface Security

mapped
LOG-01SIG-LITE-002

Logging & Monitoring

mapped
EKM-03SIG-LITE-003

Encryption & Key Management

mapped

Reference Links

Attestation

This profile is configuration-derived and does not itself certify external compliance.