In This Article
- Why the Calyx PointCentral Hosting Decision Looks Different in 2026
- The Three Layers of Dedicated You Should Demand from Any Calyx Host
- Tier 1 CSP vs SaaS-on-AWS: The Account-Ownership Question Examiners Will Ask
- Durability and Backup: What 11 and 16 Nines Actually Means for Your Loan Data
- Examiner-Ready Out of the Box: FFIEC, NCUA, FDIC, OCC, and NIST CSF 2.0
- Pricing You Can Predict: Azure Usage, Not Per-User Subscriptions
- Migration: From Quote to Live in Two Business Days
- Frequently Asked Questions
Choosing a Calyx PointCentral hosting provider used to be a decision about uptime and price. In 2026 it is a decision about who is on the line when your examiner asks where your borrower data lives, who holds the cloud account it lives in, and which artifacts you can produce within the audit window. The wrong answer is not just an operational risk anymore. It is an examination finding, a counterparty letter, and in some cases a renewal hit on your cyber insurance.
Most Calyx hosting marketing still leads with words that mattered fifteen years ago: uptime guarantees, backup frequency, U.S.-based support. Those things still matter. They are also table stakes. The questions that move an examiner's pen in 2026 are different. Where does the live database actually sit? Who owns the cloud subscription that holds your borrower documents? How many parties are between your loan officer and Microsoft? What examiner artifact does the platform produce on demand? What does the bill look like in year five if your headcount doubles?
This guide is for IT directors, compliance officers, and operations leaders at credit unions, banks, and mortgage companies who need to evaluate a Calyx PointCentral hosting provider against the controls examiners now expect, the threat environment your loan officers actually work in, and a budget that does not double every time you hire a processor. ABT has hosted Calyx Point and PointCentral for financial institutions since 2004 and is the largest Tier 1 Microsoft Cloud Solution Provider dedicated to financial services. The framing below is the same one we walk new prospects through on every scoping call.
Why the Calyx PointCentral Hosting Decision Looks Different in 2026
Three things happened between your last hosting renewal and this one. None of them got a press release inside your shop, but all of them changed what the examination conversation about Calyx hosting actually looks like.
The FFIEC Cybersecurity Assessment Tool retired on August 31, 2025. Most institutions had been using it as the de facto cybersecurity self-assessment for a decade. Its retirement did not lower expectations. It raised them. Examiners now expect institutions to have moved to a successor framework, with the National Institute of Standards and Technology Cybersecurity Framework 2.0 being the most common landing spot. NIST released CSF 2.0 on February 26, 2024, and added a new Govern function to the original five (Identify, Protect, Detect, Respond, Recover). The Govern function captures cybersecurity governance, supply chain, and policy oversight, all of which now show up explicitly in examiner findings.
Microsoft began enforcing mandatory multi-factor authentication on its admin portals in two phases starting October 2024. Phase 2 began October 1, 2025 and extends to Azure CLI, Azure PowerShell, and REST API endpoints. There is no opt-out. If the Calyx hosting provider you are evaluating does not have phishing-resistant authentication on its administrative access to your environment, that gap is now an audit finding and a CISA-level recommendation rolled into one. ABT covers the institution-side configuration in detail in our phishing-resistant MFA guide for community banks, credit unions, and mortgage companies.
Cyber insurance underwriters have rewritten their applications. The questions about hosting now ask whether your loan platform vendor holds your data in their own cloud account or in yours, whether the SOC 2 attestation covers the actual environment you sit in (not just the parent vendor's corporate network), and whether the platform produces examiner artifacts on request. Renewals at institutions that cannot answer those questions cleanly have come back with higher premiums, sub-limits on cyber coverage, or carve-outs for vendor-managed environments.
What This Buyer Guide Assumes
You already use Calyx Point or Calyx PointCentral, or you are evaluating it. You are a credit union, a community bank, or a mortgage company answerable to one or more of FFIEC member agencies, NCUA, FDIC, OCC, or the FTC under the Safeguards Rule. You want a hosting provider whose architecture maps to those examiner expectations without you having to write the mapping yourself. You want pricing you can model into a five-year budget. And you want the conversation to start at the technical layer, not at a sales script.
The Three Layers of Dedicated You Should Demand from Any Calyx Host
"Dedicated" is the most overused word in Calyx hosting marketing. Almost every provider claims it. Almost none of them mean what your examiner means when she uses it. There are three independent layers where the word "dedicated" should apply, and the answer at any one of them tells you something different about the platform you are about to put your loan files into.
- Dedicated server
- Your Calyx PointCentral instance runs on a single Azure virtual machine that no other lender shares. Not a slice of a multi-tenant container. Not a co-tenant on a shared database. ABT provisions one VM per customer, sized to the institution's workload.
- Dedicated Microsoft tenant
- Your Microsoft cloud subscription is provisioned in your institution's own legal name under your own Microsoft Customer Agreement, not inside the hosting vendor's parent account. ABT's Tier 1 CSP designation is what makes this possible. The tenant is yours when you sign up. It stays yours if you ever leave.
- Dedicated PointCentral instance
- One Calyx PointCentral runs inside that VM. No other lender's loans, branches, or branch users live in the same SQL database. No co-tenancy. No shared schema. The audit trail an examiner pulls is exclusively yours.
The reason this three-layer test matters is that providers can satisfy any one layer and still fail the other two. A vendor can run your PointCentral on a "dedicated" virtual server while holding the Microsoft subscription that owns the storage in their own account. Another can give you a dedicated Microsoft tenant on paper while running PointCentral as multi-tenant SaaS in someone else's cloud. Examiners read each layer separately because each one has a different audit consequence.
For an examiner, the dedicated server question goes to performance isolation and noisy-neighbor risk. The dedicated tenant question goes to account ownership and exit-rights. The dedicated PointCentral question goes to data segregation, audit-log integrity, and what shows up in your platform when you produce a report for the regulator. The right answer is yes at all three layers. Any "yes, but" answer is the buyer's job to translate into specific risk language for the examination team.
ABT's dedicated Microsoft cloud architecture page documents the control grid for all three layers. The short version is that we provision one VM per customer, one tenant per customer (in the customer's name), and one PointCentral per VM. No exceptions, no shared infrastructure, no cohabitation with other lenders. The institution that signs the contract owns the cloud account, owns the audit trail, and owns the data.
Tier 1 CSP vs SaaS-on-AWS: The Account-Ownership Question Examiners Will Ask
Behind the marketing, every Calyx hosting provider falls into one of two architectural families. The first is the Tier 1 Microsoft Cloud Solution Provider model, where the hosting vendor has a direct-bill relationship with Microsoft and provisions Azure subscriptions in the customer's own name. The second is the SaaS-on-cloud-reseller model, where the hosting vendor is a reseller or aggregator running their platform inside a hyperscaler account they own (Amazon Web Services, Google Cloud, or another vendor's Microsoft tenant), and customers consume the platform as software-as-a-service.
The two models look identical in a marketing brochure. They produce two completely different audit conversations.
Tier 1 CSP Hosting (ABT Model)
- Two hops. Customer workstation, ABT-managed VM, Microsoft.
- Customer-owned cloud account. Microsoft Customer Agreement is signed in the institution's name.
- Direct-bill from Microsoft. No reseller margin layered onto Azure consumption.
- Examiner artifact path is one-stop. SOC 2 + SOC 1 attestations cover the actual environment the institution sits in.
- Exit rights are clean. The institution owns the tenant. Migration off does not require unwinding a vendor's account boundary.
SaaS-on-AWS / Cloud-Reseller Hosting
- Three hops. Customer workstation, vendor's SaaS layer, vendor's hyperscaler account, hyperscaler.
- Vendor-owned cloud account. The cloud subscription that holds the institution's borrower data is in the vendor's name.
- Reseller economics. Vendor margin is layered onto cloud consumption, often invisibly.
- Examiner artifact path goes through the vendor first. SOC 2 may attest to the vendor's corporate environment, not the specific multi-tenant production stack.
- Exit costs include account untangling. Migrating data out of a vendor-owned account requires negotiated extraction, not a tenant transfer.
The vendor-chain question is what examiners are reading the SOC 2 attestation for. Under the FFIEC IT Examination Handbook and the OCC's third-party risk management guidance (Bulletin 2023-37 for banks, NCUA's third-party guidance for credit unions), the institution remains accountable for the security and availability of its outsourced systems. When the cloud account holding the data is in the vendor's name, the institution's own SOC 2 reliance is on a multi-party chain. When the cloud account is in the institution's own name, the SOC 2 reliance is direct and the audit trail is shorter.
The single sharpest question an examiner will ask about your Calyx hosting in 2026 is whose name is on the Microsoft Customer Agreement. The answer either ends the conversation or starts a longer one.
ABT is a Tier 1 Microsoft Cloud Solution Provider, direct-billed by Microsoft, with no reseller in the chain. When ABT provisions a Calyx PointCentral hosting environment, the Microsoft Customer Agreement is signed by the institution. The Azure subscription that owns the VM, the storage, and the backup retention policies is in the institution's name. ABT manages it. The institution owns it. The examiner reads it as a customer-owned cloud environment with a managed service overlay, which is a materially different finding category than a SaaS environment where the cloud account belongs to the vendor.
ABT is the largest Tier 1 Microsoft Cloud Solution Provider dedicated to financial services, with Microsoft 365 and Azure environments running for more than 750 credit unions, banks, and mortgage companies. The Tier 1 designation means ABT is direct-billed by Microsoft with no reseller layer in between. Microsoft Azure infrastructure spans 55+ operational datacenters across the United States (ABI Research 2025). When ABT provisions a Calyx PointCentral hosting environment, your institution holds the Microsoft Customer Agreement, owns the Azure subscription, and has a documented two-hop architecture from your workstation to Microsoft.
The architectural separation between the two hosting models is visible at a glance once you map the contract chain side by side.
Durability and Backup: What 11 and 16 Nines Actually Means for Your Loan Data
Every Calyx hosting provider claims redundancy. The number behind the word is what matters. Microsoft Azure publishes durability and availability service level agreements that any Tier 1 CSP can cite verbatim, and the math at the storage layer is the same regardless of which vendor is selling on top of it. The two relevant numbers are durability on live data and durability on backup data.
ABT's Calyx PointCentral hosting runs each customer's VM on Azure managed disks with Locally Redundant Storage. Microsoft's published SLA for managed disks LRS is 99.999999999 percent durability, which the industry shortens to "11 nines." That number describes Microsoft's commitment that any individual byte of data will not be lost, expressed as the probability of loss across a one-year window. Eleven nines means three independent synchronous copies of the data inside a single Microsoft datacenter, with automatic detection and replacement of any failed copy. Your dedicated server has built-in redundancy at the storage layer because Microsoft maintains it, not because ABT or any other provider engineers it on top.
Backups are different. ABT writes nightly backups of the VM to Azure Geo-Redundant Storage. GRS replicates the backup data to a second Microsoft region hundreds of miles away from the primary, producing six total copies of the backup tier (three in the primary region, three in the paired region). Microsoft's published SLA for GRS is 16 nines durability, which shortens the conversation about whether your backup will be there when you need it.
| Storage Tier | Microsoft Service | Copies | Geographic Scope | Durability SLA |
|---|---|---|---|---|
| Live data on the VM | Azure managed disks LRS | 3 synchronous copies | 1 datacenter (1 region) | 11 nines (99.999999999%) |
| Nightly backup | Azure Backup, GRS storage | 6 total (3 primary + 3 paired region) | 2 Microsoft regions | 16 nines |
Source: Microsoft Azure managed disks and Azure Storage redundancy documentation, 2026
The honest framing on availability is more nuanced than the durability framing. Live data sits on a single VM in a single Microsoft datacenter, so Microsoft's standard single-instance VM SLA of 99.9 percent applies. Backups are geo-redundant and survive the loss of a primary region. Most regulated institutions treat that combination as a balanced posture: high durability on live data, geo-redundancy on the recovery tier, with continuous-availability options available as upgrades when an institution's business continuity plan calls for them.
The right way to read this for a buyer evaluation is to ask the prospective host two questions. First, where does my live data physically sit, and what is the durability SLA on that storage tier? Second, where is my backup, in how many regions, and what is the durability SLA on that tier? An honest answer is two specific numbers that match Microsoft's published documentation. A vague answer about "geo-redundancy" or "multiple regions" without specifying which tier the redundancy applies to should prompt a follow-up.
Read the Numbers, Not the Adjectives
Eleven nines describes the durability of your live loan data on the VM. Sixteen nines describes the durability of your backup tier. Single-VM availability is Microsoft 99.9 percent on the standard configuration, with continuous availability available as an upgrade for institutions whose continuity plan requires it. Anyone selling you "16 nines durability across all regions" is not describing the standard Calyx hosting deployment. They are describing something else, or they are wrong.
Examiner-Ready Out of the Box: FFIEC, NCUA, FDIC, OCC, and NIST CSF 2.0
The phrase "examiner-ready" gets used loosely in vendor marketing. The way ABT defines it is operational. An examiner-ready hosting platform produces, on request, the artifacts an IT examination team will ask for during the audit window. The institution does not have to manufacture them. The hosting provider does not have to scramble to write them. The platform itself maintains them as a standing output.
The artifact list is not exotic. It is the same set across FFIEC member agency examinations, NCUA examinations under 12 CFR Part 749 Appendix A, FDIC IT examinations, and OCC IT examinations. The relevant artifacts include: a current SOC 2 Type II attestation covering the production environment, a SOC 1 attestation for institutions whose hosting touches financial reporting controls, an inventory of access controls and authentication methods, audit log retention configurable to the institution's regulatory requirement (Bank Secrecy Act five-year retention, NCUA five-year retention, SAR retention, and Reg B/Reg E timelines), encryption-at-rest documentation, encryption-in-transit documentation, and a documented business continuity and disaster recovery plan with backup retention windows that map to the institution's stated RPO and RTO.
NIST CSF 2.0 maps to the same artifact set. The five original functions (Identify, Protect, Detect, Respond, Recover) and the new sixth (Govern) define the categories an examiner reads against. The Govern function added in the 2.0 release captures third-party oversight, which is exactly the layer where Calyx hosting sits for the institution. ABT's NIST CSF 2.0 Assessment for financial institutions documents the control mapping and the deliverables an examiner expects from the platform side, with line-of-sight to the artifacts that ABT produces from the hosting environment.
What Examiner-Ready Looks Like in Practice
A current SOC 2 Type II attestation covering the actual hosting environment your institution runs in, not the parent vendor's corporate network. SOC 1 available for institutions whose hosting touches financial reporting. Encryption at rest using AES-256 with customer-controlled keys in Azure Key Vault Premium. TLS 1.3 for traffic in transit. Audit log retention configurable to BSA, NCUA, and SAR record-keeping requirements. Geo-redundant nightly backup with documented recovery procedures. NIST CSF 2.0 mapping for the Govern function. ABT delivers all of this as standard, not as an upgrade tier.
The reason a buyer guide should spend this much time on examiner artifacts is that the artifact gap is the single most common Calyx hosting buyer regret. Institutions choose a host on price or feature parity, then the next IT examination produces a finding because the SOC 2 reliance was on the vendor's corporate environment instead of the actual production stack, or the audit log retention was at platform default instead of regulatory minimum, or the encryption documentation referenced a standard the vendor met two years ago and never refreshed. None of those gaps show up in a feature-comparison spreadsheet. All of them show up in an examination report.
Pricing You Can Predict: Azure Usage, Not Per-User Subscriptions
Calyx hosting pricing has historically been quoted per user or per branch, with bundled Microsoft license seats layered on top. The math works at the start. It compounds awkwardly. A community bank that hires twelve loan officers in a growth year sees the hosting bill scale linearly with headcount even though the actual underlying compute and storage have not moved by the same proportion. A mortgage company that grows past one hundred users finds that what was a manageable monthly line item is now a budget review item.
ABT's Calyx PointCentral hosting is priced on Azure usage rather than a per-user subscription. The pricing model maps the institution's actual cloud consumption (compute, storage, backup retention, network egress) to a monthly figure that does not multiply with seat count. New PointCentral installations without migrated historical data start at $99 per month. Existing PointCentral environments are quoted by data: tell ABT how much loan history, document storage, and active workload the institution carries, and the quote is sized to match the Azure usage profile.
The model produces a predictable five-year budget line. What an institution pays in year one is what it pays in year five, adjusted for actual cloud-consumption growth rather than headcount changes. The punchline that comes up in most buyer conversations is that ABT's Azure-usage model runs at a fraction of per-user pricing for any institution above 25 users, with the gap widening as the organization grows.
The Pricing Conversation in One Paragraph
Azure usage pricing, not per-user subscriptions. New Calyx PointCentral installs without migrated data start at $99 per month. Existing environments are quoted by data volume, sized to actual Azure consumption. Microsoft cloud usage is included in the hosting fee. No surprise overage charges. Year-one pricing equals year-five pricing for a stable workload. For most institutions above 25 users, the model is a fraction of per-user hosting pricing.
The DocumentGuardian secure file sharing product is included in the standard hosting fee. Borrower documents move through the same dedicated tenant with the same audit logging that the loan platform itself produces. The institution does not pay separately for an encrypted file-transfer tool. ABT's DocumentGuardian product page documents the workflow.
Migration: From Quote to Live in Two Business Days
The slowest part of a Calyx hosting migration is the institution's own internal calendar. The cutover itself, on the ABT side, runs two business days or less from the moment the scope call is complete and the customer's IT has approved the cutover window. The cutover is a defined process with five stages.
30 minutes. ABT confirms data volume, branch count, user count, current host, and migration window. Quote produced same day.
ABT provisions the dedicated Microsoft tenant under the institution's MCA. Azure subscription is created in the institution's legal name.
The dedicated VM is sized to workload. PointCentral is installed in the VM. Test environment is provisioned for migration validation.
Loan history, document storage, user accounts, and configuration are migrated from the prior host. Validation runs in the test environment.
2 business days or less. Users sign in to the new tenant. The prior host is decommissioned per the institution's retention policy.
The ABT migration team handles the technical work. The institution's IT team approves the cutover window, validates the test environment, and signs off. The institution's loan officers do not lift a finger during the cutover. They sign in on the cutover morning and work the same day. ABT's how-it-works section documents the operational workflow with the same five stages.
What the timeline assumes: the scope call has identified the prior host's data export format and the size of the loan history, branch users have been inventoried, and the customer's IT is available during the cutover window for sign-off. What it does not assume: a 90-day waiting list, a feature-by-feature reconfiguration of PointCentral, or a separate phase for "Microsoft tenant setup." The Microsoft tenant setup is part of the standard cutover, not an extra project.
Frequently Asked Questions
ABT's Calyx PointCentral hosting is dedicated at three independent layers. The first is a dedicated server: your PointCentral runs on a single Azure virtual machine that no other lender shares. The second is a dedicated Microsoft tenant: your Azure subscription is provisioned in your institution's legal name under your own Microsoft Customer Agreement, made possible by ABT's Tier 1 Microsoft Cloud Solution Provider designation. The third is a dedicated PointCentral instance: one PointCentral runs inside your VM, with no co-tenancy and no shared SQL database with other lenders. The institution that signs the contract owns the cloud account, the tenant, and the audit trail. Examiners read each of the three layers separately because each one has a different audit consequence.
ABT is a Tier 1 Microsoft Cloud Solution Provider, direct-billed by Microsoft with no reseller in the chain. The architectural chain from your loan officer's workstation to Microsoft is two hops: workstation, ABT-managed VM, Microsoft. The Microsoft Customer Agreement is signed by your institution, and the Azure subscription that holds your borrower data is in your name. SaaS-on-AWS or other cloud-reseller hosting models route through three hops, with the middle vendor's cloud account holding your data. The two architectures look identical in marketing materials but produce two different audit conversations: customer-owned cloud with managed-service overlay (ABT) versus vendor-owned cloud accessed as software-as-a-service (the SaaS-on-cloud-reseller model).
Your live data sits on Azure managed disks Locally Redundant Storage, which maintains three synchronous copies inside a single Microsoft datacenter with 11 nines durability (99.999999999%). Your nightly backup is written to Azure Geo-Redundant Storage, which replicates to a second Microsoft region hundreds of miles away, producing six total copies of the backup tier across two regions with 16 nines durability. If a regional outage affected your primary datacenter, ABT restores from the geo-redundant backup tier per your documented business continuity plan. Single-VM availability is Microsoft's standard 99.9 percent SLA. Continuous availability across regional outages is available as an upgrade tier (availability set, zone redundancy, or active-active geo-replication) for institutions whose business continuity plan requires it.
ABT's hosting platform is built for credit unions, banks, and mortgage companies, which translates to FFIEC IT Examination Handbook controls for federally insured institutions, NCUA examinations under 12 CFR Part 749 Appendix A for credit unions, FDIC IT examinations for FDIC-insured banks, and OCC IT examinations for nationally chartered banks. Independent mortgage lenders and servicers fall under the FTC Safeguards Rule (16 CFR Part 314) and CFPB Compliance Management System reviews. The platform aligns to the NIST Cybersecurity Framework 2.0, released February 26, 2024 with the new Govern function added. SOC 2 Type II and SOC 1 attestations cover the production environment. The FFIEC Cybersecurity Assessment Tool retired August 31, 2025, so most institutions now run their cybersecurity self-assessment against NIST CSF 2.0 directly.
ABT's Calyx PointCentral hosting is priced on Azure usage, not on a per-user subscription. New PointCentral installations without migrated historical data start at $99 per month. Existing PointCentral environments with migrated data are quoted by data volume: tell ABT how much loan history, document storage, and active workload the institution carries, and the quote is sized to the actual Azure consumption profile. Microsoft cloud usage is included in the hosting fee. There are no surprise overage charges. Year-one pricing equals year-five pricing for a stable workload, adjusted only for actual cloud-consumption growth rather than headcount changes. For most institutions above 25 users, the Azure-usage model runs at a fraction of per-user hosting pricing, with the gap widening as the organization grows.
The cutover itself runs two business days or less from the moment the scope call is complete and the institution's IT has approved the cutover window. The full process has five stages: scope call (30 minutes, with same-day quote), Microsoft tenant provisioning under the institution's MCA, dedicated VM and PointCentral build with a parallel test environment, data migration of loan history and document storage with validation in the test environment, and cutover. ABT's migration team handles the technical work. The institution's IT team approves the cutover window and signs off on the test environment. Loan officers do not lift a finger during the cutover. They sign in on the cutover morning and work the same day in the new tenant.
Yes. DocumentGuardian, ABT's secure file sharing product for borrower documents, is included in the standard Calyx PointCentral hosting fee. Borrower documents move through the same dedicated Microsoft tenant as the loan platform itself, with the same audit logging and the same encryption posture. The institution does not pay a separate license fee for an encrypted file-transfer tool. DocumentGuardian is designed for the document-delivery workflows that loan officers, processors, and underwriters run every day, with examiner-grade audit trails on every send, receipt, and download.
Data at rest on the dedicated VM is encrypted with AES-256 under SQL Server Transparent Data Encryption, with customer-controlled keys held in Azure Key Vault Premium. Data in transit is protected with TLS 1.3 between the user workstation and the Microsoft Azure network. Network security groups, Microsoft Defender for Cloud, and Microsoft Entra ID conditional access policies control access at the platform layer. ExpressRoute private circuits and Azure VPN gateway are available as upgrade options for institutions that require traffic to bypass the public internet entirely. The encryption posture is documented in ABT's SOC 2 Type II attestation, which covers the actual production environment your institution sits in, not the parent vendor's corporate network.
Stop Translating Vendor Marketing into Examiner Language
If your current Calyx hosting answers do not line up with the three-layer dedicated test, the Tier 1 CSP account-ownership question, or the durability and examiner-artifact framing above, ABT will walk through your specific environment in a 30-minute scoping call. The output is a quote sized to your Azure usage and a clean answer to every question your examiner is going to ask.