Banking & insurance
AI DLP for banks and insurers, DORA-ready by default
ZeusLock stops sensitive client data, market-moving information and source code from leaking to ChatGPT, Claude and Gemini — while producing the DORA ICT third-party register entries, NIS2 incident logs and EBA outsourcing documentation your supervisory authority asks for.
Challenges we solve
Insiders pasting client data into ChatGPT
Account numbers, IBAN, SWIFT codes, transaction histories — pasted into AI assistants for "summary" or "code help". Once sent, the data is in the model provider's logs and beyond your subject access request scope.
Source code IP leaking to Copilot/Cursor
Trading algorithms, risk models, fraud detection rules. Even one pasted snippet trains an external model and weakens your competitive moat.
DORA ICT third-party risk register
Article 28 of DORA requires you to maintain a register of every ICT third party that processes data on your behalf. An unsupervised ChatGPT habit creates undocumented third-party exposure for your CIRO to report on.
EBA outsourcing notification
EBA Guidelines 2019/02 require notification of any "critical or important" outsourcing. AI-assisted code review on production trading code falls in scope when your data leaves the bank.
What ZeusLock ships for you
Pre-built financial detectors
IBAN (all 75 SEPA + non-SEPA formats), BIC/SWIFT, ISIN, LEI, CUSIP, French SIRET/SIREN, EU VAT, customer reference numbers (configurable patterns).
Market-sensitive language flagging
Detects M&A code-names, earnings-pre-release language patterns and trade names you configure as "do not send". Configurable per desk.
Block mode for trading floor
Two modes per group: Alert (warn + anonymise) for general staff, Block (silent redaction) for the trading floor, compliance and risk teams.
DORA register feed
Every detection generates a DORA-aligned event with mapped third-party ICT identifier. Export to your GRC tool (ServiceNow, RSA Archer, OneTrust) via webhook or CSV.
On-premise Sovereign Edition
For systemic banks and tier-1 insurers — full on-premise deployment, no US cloud dependency, no CLOUD Act exposure.
Auditor-friendly evidence pack
One-click export: detection rules in effect, sample evidence, retention policy, sub-processor list. ACPR / Banque de France / BaFin / DNB-ready.
Why CISOs at European banks choose ZeusLock
- ✓EU-hosted by default (AWS Paris) — no cross-border data transfer required by law.
- ✓On-premise Sovereign Edition for systemic and tier-1 institutions.
- ✓DORA Article 28 register entries auto-generated.
- ✓BaFin / ACPR / DNB / Banca d'Italia evidence templates included.
- ✓Twice as cheap per seat as US-domiciled alternatives at comparable coverage.
- ✓No US legal-process exposure on the Sovereign tier (CLOUD Act, FISA 702).
Frequently asked questions
Does ZeusLock map detections to DORA event categories?
Yes. Every detection event ships with a DORA classification (ICT third-party access, ICT incident, ICT change), the associated third-party identifier and the data category involved. Export to your GRC via signed webhook or daily CSV.
Can the trading floor run in block mode while corporate runs in alert mode?
Yes. Policy is per-AD group / per-Workspace OU. Trading, treasury and risk in Block mode; corporate, marketing and ops in Alert mode is the typical configuration.
How does ZeusLock handle privileged communications (legal hold, M&A)?
Privileged groups (in-house counsel, M&A deal teams) can be flagged for whitelist-only AI use — only ChatGPT Enterprise or an internal LLM is reachable, all other AI hosts are blocked at the browser. Detections are retained encrypted under a separate key custodied by legal.
Is ZeusLock part of the supervisory perimeter as an ICT third party?
On the SaaS edition, yes — and we sign the DORA-aligned schedule with no negotiation. On the Sovereign Edition, ZeusLock is a software vendor only; we never process customer data, so the third-party register entry is materially lighter.