Skip to main content

Premora for Credit Unions

Credit unions hold member financial data under some of the most developed supervisory guidance in U.S. financial services. Premora’s on-prem, single-tenant, ACL-preserving architecture exists largely to satisfy that environment: member-adjacent operational knowledge stays inside your perimeter, source permissions follow it everywhere, and every access is attributable.

:::warning This is product guidance, not legal advice Premora supports — and can be configured to support — the control expectations below. Your legal, risk, compliance, and infosec teams own the final compliance determination. Premora does not yet hold formal certifications (SOC 2 Type II is on the roadmap); for an on-prem product, certification covers Premora’s corporate/SDLC controls and the product’s control design, not a SaaS environment holding your data. :::

Regulations that apply

Regulation / guidanceWhat it expectsHow Premora supports it
GLBA Safeguards RuleA written information security program; access control and encryption protecting member data.On-prem single-tenant deployment, ACL projection end to end, encryption in transit and at rest, field-level suppression, and audit trails.
Regulation P (Privacy of Consumer Financial Information)Limits on how nonpublic personal information (NPI) is handled and disclosed to nonaffiliated third parties; notice/opt-out.Egress control (no external model or connector call without explicit policy), redaction before any external model call, and lineage showing where NPI was sourced and where it flowed.
NCUA cybersecurity & board-oversight guidanceBoard-approved security governance reviewed at least annually; incident response and evidence preservation; third-party due diligence.A reviewable control narrative, immutable raw sources + lineage for evidence, and a control-evidence package for vendor due diligence.
FFIEC Information Security guidanceRisk-based information security, change management, and secure development.Signed, versioned release artifacts, least-privilege access, and the single hardened front door.
CCPA / CPRAConsumer privacy rights for personal data outside the GLBA carve-out.On-prem single-tenant keeps Premora out of processing your data on its own infrastructure; retention tags, legal-hold, and deletion workflows; lineage to locate a given data element.
AI governance (NCUA AI diligence)Model risk, fair-lending impact, transparency, attributability, vendor monitoring.External model providers can be disabled entirely; model allowlists / route policy; every prompt and output is attributable; write-back requires stronger approval than read; private on-prem inference.

How regulation maps to Premora controls

  • Data residency & sovereignty — on-prem single-tenant with controllable egress. One deployment serves one credit union; nothing is shared cross-customer.
  • Financial privacy (GLBA / Reg P / CCPA) — egress control, redaction before any external model call, NPI lineage, and field-level suppression.
  • Access controlACL projection from the source system, least privilege, and permanent break-glass admin so a broken IdP can’t lock you out.
  • Records & evidence — immutable raw sources, lineage on every materialized fact, and audit trails for admin actions, connector changes, query execution, and policy overrides.
  • Resilience — a core read-path boundary with degraded modes, so a single upstream source outage does not take down knowledge access.

For a credit-union deployment, configure Premora to:

  1. Deploy on-prem or air-gapped (connected pull, internal registry, or USB) — see Installation.
  2. Disable external model providers (or restrict to an approved allowlist) and run private inference so member data never leaves the perimeter.
  3. Enforce SSO with your IdP and map admin access to a designated group, keeping the local break-glass admin in your secret store — see Identity & SSO.
  4. Require delegated-connection approval and verify ACL behavior after each source’s first sync.
  5. Retain the control-evidence package for NCUA/FFIEC examiners and third-party risk reviews.

Reference