Trust and security at ACM Global Tech

Trust & Security Center

Security your examiners can evidence, not just hear about

ACM Global Tech is regulated-first, white-label banking technology built for institutions under scrutiny. This center sets out how we protect data: post-quantum cryptography, controls mapped to recognized frameworks, data residency options, resilience, and a responsible-disclosure process. Every claim here is meant to be defensible under review.

Request our security overview Post-quantum security
Regulated-first architecturePost-quantum cryptographyWhite-label & client-ownedHanzo.ai & Lux Network ecosystem
Security architecture

Cryptography engineered into the foundation

Security that is added after the fact is the security that fails a review. ACM builds protection into the platform, with post-quantum cryptography as a default rather than an upgrade you plan for later.

Post-quantum cryptography

NIST-aligned post-quantum algorithms protect long-lived records against "harvest now, decrypt later" attacks, where data captured today could be decrypted once quantum hardware matures.

Encryption in transit and at rest

Data is encrypted as it moves and where it is stored, so confidentiality is preserved across the path from device to settlement and in persistent storage.

Crypto-agility

Cryptographic primitives are abstracted from the application layer so algorithms can be rotated as standards evolve, without rebuilding the systems that depend on them.

Least-privilege access

Role-based access controls and segregation of duties limit who can reach sensitive data and functions, reducing the blast radius of any single compromised account.

Secure SDLC

Security is part of how software is built, with review and controls across the development lifecycle rather than checks bolted on before release.

Non-custodial options

Where it fits your model, segregation and non-custodial arrangements keep control of assets and keys aligned with your risk posture and regulatory obligations.

For the full technical treatment of quantum readiness, see our post-quantum security capability and our cybersecurity and fraud solution.

Compliance & frameworks

Designed to support the frameworks you answer to

ACM is a technology provider, not a bank or insured depository institution. We do not assert certifications we do not hold. Instead, our controls are mapped to recognized frameworks so you and your examiners can assess them directly.

  • Architected to support SOC 2: control objectives for security, availability, and confidentiality are designed in so they can be evidenced during an audit or examination.
  • Designed to support ISO 27001: information-security management practices are mapped to the standard's control set rather than claimed as a certification.
  • Built for PCI-DSS requirements: where payment-card data is in scope, controls are aligned to PCI-DSS expectations and documented for review.
  • Controls mapped to recognized frameworks: a single set of controls is traced to the standards your jurisdiction requires, reducing duplicated effort across audits.
  • Audit-friendly evidence: audit trails, reporting, and documentation are produced so examiners can trace a control from policy to operation.
  • Broader frameworks, on demand: beyond SOC 2, ISO 27001, and PCI-DSS, the same control set is mapped to the additional regimes an engagement requires — GLBA and FFIEC guidance for banks, NYDFS Part 500, HIPAA / HITECH for healthcare data, GDPR and CCPA for privacy, and MiCA and travel-rule expectations for tokenized assets — scoped and confirmed per jurisdiction during onboarding rather than asserted up front.

Where a formal attestation is required for a specific engagement, contact us through our team and we will share the current status and supporting documentation under appropriate terms.

Data protection & residency

Your data, governed by your obligations

Banking and healthcare data carries long retention and strict handling requirements. ACM is built so you can keep that data where your regulators expect and limit who can reach it.

Data residency options

Customer data can be processed and stored in the regions your obligations require, with specific residency arrangements confirmed per engagement.

Access governance

Least-privilege, role-based controls and segregation of duties restrict access to sensitive data, with activity recorded for review.

Protect long-lived records first

Identity records, loan files, and settlement instructions, the data that stays sensitive for years, are prioritized for the strongest protection.

White-label and client-owned

Data and the experience run under your brand, keeping ownership and control with the institution rather than a third party.

Resilience & availability

Built to keep operating, and to recover

We describe our approach to resilience here rather than a contractual figure; availability and recovery commitments are defined in the agreement for each engagement.

  • Monitoring: systems and security signals are monitored so anomalies and degradations are surfaced rather than discovered after the fact.
  • Incident response: defined processes to detect, contain, and respond to incidents, including intrusion and ransomware scenarios.
  • Recovery planning: backup and recovery practices are designed to restore service and data with the objectives agreed for your deployment.
  • Phased change: our Agile Speed Framework delivers in reviewable increments, reducing the risk of disruptive cutovers.
  • Operational continuity: changes are designed to phase in without re-platforming your existing core, so protection improves without halting daily operations.

For help with an active issue or an operational question, see support.

Responsible disclosure

Report a vulnerability

ACM operates a responsible-disclosure process. If you believe you have found a security issue, we want to hear from you.

  • How to report: email security@acmglobaltech.com with details and any reproduction steps.
  • What we do: we acknowledge the report, investigate, and coordinate remediation with you.
  • What we ask: avoid accessing or modifying customer data, and allow reasonable time to remediate before any public disclosure.
  • Good-faith research: we treat good-faith reports as a contribution to the security of the institutions we serve.

Put our controls in front of your examiners

Request the ACM security overview and walk through our architecture, framework mappings, data residency, and resilience approach with the people who built them.

Talk to our security team
FAQ

Frequently asked questions

Is ACM SOC 2 certified?

ACM does not claim a SOC 2 certification on this page. Our platform is architected to support SOC 2 control objectives, and our processes and controls are mapped to recognized frameworks so they can be evidenced during an examination or audit. Where a formal attestation is required for a specific engagement, contact us and we will share the current status and supporting documentation under appropriate terms.

Does ACM hold ISO 27001, PCI-DSS, or FedRAMP authorization?

We describe ACM as designed to support ISO 27001, PCI-DSS, and similar requirements rather than asserting a specific certification or authorization. Controls are mapped to these frameworks so institutions and examiners can assess them directly. ACM is a technology provider and is not itself a bank or insured depository institution.

What is post-quantum cryptography and why does ACM use it?

Post-quantum cryptography uses algorithms designed to resist attacks from future quantum computers. ACM builds it in to protect long-lived financial records against "harvest now, decrypt later" attacks, where data captured today could be decrypted once quantum hardware matures. See our post-quantum security capability for the technical approach.

How does ACM protect data in transit and at rest?

ACM encrypts data in transit and at rest, applies least-privilege and role-based access controls, and supports segregation of duties and non-custodial options where they fit your model. Cryptography is designed for crypto-agility so algorithms can be rotated as standards evolve.

Can ACM keep our data in a specific country or region?

ACM supports data residency options so customer data can be processed and stored in the regions your obligations require. Specific residency, retention, and processing arrangements are confirmed per engagement based on your jurisdiction and regulatory requirements.

How do I report a security vulnerability to ACM?

Email security@acmglobaltech.com with the details and any reproduction steps. ACM operates a responsible-disclosure process: we acknowledge reports, investigate, and coordinate remediation. We ask researchers to avoid accessing or modifying customer data and to allow reasonable time to remediate before public disclosure.

Talk to ACM

Ready to talk about Trust & Security?

Get a tailored walkthrough and a straight answer on fit, timeline, and cost for your institution.

Model-agnostic · integrates with the AI platforms you already trust

OpenAIAnthropicGoogleMeta LlamaMistralCohereAWSHanzo AI
Ecosystem Partners

Backed by a world-class ecosystem

ACM Global Tech is an ecosystem partner of Hanzo.ai and Lux Network — pairing enterprise-grade agentic AI with institutional tokenized-finance and settlement infrastructure.

Agentic AI and developer infrastructure powering ACM's AI & data layer.

Institutional tokenized-finance, exchange, and settlement rails behind ACM's RWA & FX.

Ready to modernize your institution?

Talk to ACM about a regulated, white-label banking stack — core, payments, wallets, exchange, and tokenized finance you own.

Schedule a Discovery Call Get Started