Dedicated tenant. Microsoft direct-bill. Built for banks, credit unions, and mortgage lenders that answer to FFIEC, NCUA, FDIC, and OCC examiners. Live in 2 business days or less.
Microsoft
The PointCentral database holds borrower NPI, credit files, income documentation, closing data, and the audit trail of every loan your team has ever touched. Where and how you host it is no longer a back-office decision. It is the highest-impact system in any community bank, credit union, or mortgage lender IT examination.
Under FFIEC, NCUA, FDIC, or OCC review, your PointCentral server lands inside IT General Controls, business continuity, vendor management, and information security. Whatever choice you make about where it lives, your examiner will trace it.
Multi-tenant SQL where you cannot answer "who else is on this server" no longer passes the audit bar. Neither does a hosted setup where your provider resells someone else's cloud, because the examiner now traces two vendor relationships instead of one.
ABT runs your PointCentral on a private Microsoft Azure environment dedicated to your institution. As a Tier 1 Microsoft Cloud Solutions Provider buying Azure direct, the chain of custody on your loan data runs workstation to your Microsoft tenant directly to Microsoft. Two hops. Not three.
From there, your Microsoft 365, Teams, SharePoint, Guardian security, and Copilot can sit in the same Microsoft tenant. One identity. One audit trail. One throat to choke. None of it is required to host Calyx today. All of it becomes an easier yes once your loan database is already with us.
Your PointCentral runs in a dedicated Microsoft tenant for your institution. Dedicated virtual machines. Dedicated SQL instance. Dedicated storage accounts. No shared-tenancy hosting where your borrower data sits in the same database engine as another lender's. When the examiner asks "who else is on this server," the answer is "nobody."
ABT is a Tier 1 Microsoft Cloud Solutions Provider (Direct-Bill) with a direct contract to Microsoft. Your Azure tenant is provisioned in your institution's name under your own Microsoft Customer Agreement — you own it; we operate it as your partner of record with delegated admin access you can revoke. Compare a typical AWS-reseller hosting model: the underlying AWS account is owned by the reseller, and your borrower data lives inside their account under their root credentials. When your examiner asks who owns the infrastructure your data sits in, the answer is your institution. Two hops to Microsoft, in your name — not three hops where the middle vendor holds the keys.
Every control is configured to map to FFIEC, NCUA, FDIC, and OCC expectations out of the gate. Encryption at rest and in transit. Privileged access management. Immutable backup. Change control. Logging and alerting. If your examiner asks for it, we can hand you the artifact that proves it.
The FFIEC Cybersecurity Assessment Tool was retired August 31, 2025. Examiners now use NIST Cybersecurity Framework 2.0, the CRI Profile v2.1, and CIS Critical Security Controls as the successor references. NIST CSF 2.0 added a sixth core function . Govern . on February 26, 2024.
Your PointCentral hosting environment is in scope for that review. Below: how ABT's private Azure hosting maps to every one of the six NIST CSF 2.0 functions, and to FFIEC, NCUA, FDIC, OCC, CFPB, and PCI examiner expectations.
Strategy, roles, policy, oversight, supply-chain risk
Documented policies mapped to each NIST CSF 2.0 subcategory. Third-party risk evidence for every component in your PointCentral environment. Governance artifacts in your tenant, ready to hand to an examiner.
Asset inventory, risk assessment, business environment
Complete asset inventory of the VMs, SQL instance, storage, and network attached to your PointCentral server. Risk assessments on a defined cadence. Annual improvement plan tied to your examination cycle.
Identity, access, data, platform security, training
Entra ID conditional access on every admin path. Encryption at rest and in transit, FIPS 140-3 hardware-backed keys on request. DMARC enforcement, Defender hardening, Tokenator zero-tolerance session revocation.
Continuous monitoring, anomaly detection
Microsoft Sentinel correlation across PointCentral, identity, endpoint, and email telemetry in one pane. Guardian Managed Extended Detection and Response watching your tenant 24/7/365 from the United States.
Incident response planning, analysis, mitigation
Documented incident response runbook tailored to your institution. Forensic log retention so investigators have what they need on day one. Guardian MxDR analysts on-call to triage, contain, and work an incident alongside your team.
Recovery planning, restoration, communication
Nightly backup with geo-redundant copies in a second Microsoft region. 16-nines storage durability on the geo-redundant backup tier. Microsoft's published storage SLA. Documented RTO and RPO tied to your BCP plan.
Reference: nist.gov/cyberframework (CSF 2.0, released February 26, 2024). FFIEC CAT retired August 31, 2025 per OCC Bulletin 2024-25 and the FFIEC joint statement.
Every control your IT team and examiner will trace is documented and auditable. Full architecture diagrams and control mappings are available under NDA.
PointCentral runs on your own dedicated server with Microsoft Azure redundancy built in at every storage layer.
Every byte of borrower data encrypted in transit and at rest. Keys in Azure Key Vault Premium, segregated per institution.
Encrypted traffic over Microsoft Azure's network, with private-circuit upgrades available for institutions that need them.
Access gated through Entra ID conditional access with hardware-backed MFA on every admin path.
"Hosted in the cloud" is not a differentiator. Every Calyx hosting provider uses someone's data center. The real question for a CISO is what sits between your borrower data and the next tenant on the same infrastructure. Below, the comparison split into two views: architecture & tenancy, and operations & compliance.
Where your data lives and who shares the database engine.
| Control | ABT Private Azure | Typical Shared Hosting |
|---|---|---|
| Cloud platform | ✓Microsoft Azure, Tier 1 CSP direct-bill. Tenant provisioned in your institution's name under your own Microsoft Customer Agreement. | −Typically a third-party cloud (often AWS) provisioned in the reseller's account, not yours. You access it; they own the root. |
| Database tenancy | ✓Dedicated SQL instance per institution. No co-mingled databases, no shared connection pool. | −Shared SQL server with tenant-per-database, or shared tables keyed by tenant ID. |
| Infrastructure model | ✓Dedicated VMs, dedicated storage accounts, dedicated virtual network. | −Shared VM farm, shared storage pool, shared subnet. Tenant isolation is software only. |
| Account ownership | ✓Your institution holds the Azure tenant and the MCA. ABT operates with delegated admin access you can revoke. | −Reseller holds the AWS account and root credentials. Customer access is scoped IAM under their account. |
| Vendor chain | ✓Two-link chain: your institution → ABT → Microsoft. One audit trail. | −Three-link chain common: institution → host → reseller → underlying cloud. Two audit trails to trace. |
Patching, backup, encryption, network, and incident posture.
| Control | ABT Private Azure | Typical Shared Hosting |
|---|---|---|
| Patch scheduling | ✓Coordinated with your institution's change window. Advance notice, pre-tested builds. | −Vendor-driven windows that apply to all tenants at once. Limited coordination. |
| Backup and retention | ✓Nightly backup with geo-redundant copies in a second Microsoft region. Backup retention configurable to BSA, NCUA, and SAR record-keeping requirements. | −Typically nightly full backup with limited retention. Extending beyond vendor default is often an add-on. |
| Encryption and keys | ✓TLS 1.3, AES-256 at rest, Azure Key Vault Premium. FIPS 140-3 Level 3 hardware-backed keys available on request. | −Shared encryption keys common. FIPS 140-3 validated hardware rarely offered. |
| Network path | ✓TLS 1.3 encrypted traffic over Microsoft Azure's network. ExpressRoute private circuit available on request for institutions that require it. | −Public-internet VPN, typical. Private circuit rarely available at single-institution size. |
| Incident scope | ✓A security incident in your tenant stays in your tenant. Forensic boundary is your institution. | −A platform-level incident can pull every tenant into the same investigation. |
| Pricing model | ✓Azure usage pricing. We charge by Azure usage, not user count. New installations start at $99 a month. Migrating data? We size the plan to your Azure usage. All Azure usage is included. Same rate year over year. A fraction of what you'd pay on a per-user system. | −Per-user pricing typical, with cloud consumption fees often billed back as pass-through. Year-one promotional pricing followed by tier increases. |
Most MSPs reselling cloud hosting don't run the data center, don't write the SQL retention policy, and don't sign the BAA the FFIEC examiner is going to read. We do all three. Watch the 49-second version, then read the side-by-side comparison above.
Once your PointCentral lives in your dedicated Microsoft tenant, every other Microsoft service your bank, credit union, or mortgage business needs can sit in the same tenant, on the same identity, with the same audit trail.
Email, Teams, SharePoint, OneDrive, and endpoint security live in the same Microsoft tenant as your PointCentral database. One identity. One DLP policy set. One audit trail. No cross-tenant data exchange surface to secure.
Windows 11 virtual workstations for remote loan officers, contract processors, and hybrid employees. Available as an integrated option on your tenant. Keeps PointCentral access inside the ABT security boundary even on personal devices.
Every PointCentral tenant runs under the Guardian operating model: Entra ID hardened, Defender tuned, DMARC enforced, Tokenator zero-tolerance session revocation, Sentinel correlation across the stack. Guardian MxDR watches 24/7/365 from the United States.
With Microsoft 365 and PointCentral data already in one governed Microsoft tenant, Copilot readiness is a configuration step, not a migration project. When you are ready to evaluate generative AI for loan origination, underwriter research, or compliance drafting, the governance foundation is already under you.
Send sensitive borrower documents encrypted, audited, with retention controls. DocumentGuardian is included in your hosting fee. No separate vendor, no separate bill, no separate audit trail.
Hosting your Calyx with ABT is step one. The reason it matters is what it unlocks downstream. With your loan origination database, your Microsoft 365 footprint, and your security operating model already in one governed Microsoft tenant, the two questions every FI board is now asking get faster, cheaper answers.
FFIEC retired the Cybersecurity Assessment Tool on August 31, 2025. NIST CSF 2.0 is the framework examiners are now mapping community banks, credit unions, and mortgage lenders against. Our 6-to-8-week assessment grades your institution across all six functions, including the new Govern function added in 2024.
Once your PointCentral and your Microsoft 365 are in the same Microsoft tenant under the same Guardian operating model, the heavy lifting for Copilot is already done. The remaining work is governance configuration, not migration. Our Copilot Readiness assessment confirms your data labels, permissions, and Purview policies are tight before you turn Copilot on.
Tell us what you run today. We will map your current Calyx environment, your Microsoft 365 footprint, and your security posture against what a dedicated Microsoft tenant under Guardian would look like, and show you the consolidation path on a single call.
New PointCentral installations start at $99 a month. We bill by Azure usage, not user count. Bringing data with you? We size the plan to match. Either way, it's a fraction of per-user pricing.
Calyx Software hosting partner since 2004 · Tier 1 Microsoft Cloud Solutions Provider · Microsoft-certified engineers, United States
From scope call to your loan officers logging in to a dedicated Microsoft tenant: 2 business days or less. Your existing Calyx environment stays up the whole time. Cutover happens on the maintenance window your IT team picks.
Our Azure specialist reviews your environment, confirms regulatory scope, and gives you a written migration plan. No pressure. You keep the plan whether you move forward or not.
We provision your private Azure subscription, migrate the PointCentral database, and stage the cutover during a maintenance window of your choosing. Full cutover in 2 business days or less.
PointCentral runs on dedicated Azure infrastructure. Your loan officers reach real United States Microsoft-certified people 24/7/365. The rest of your Microsoft footprint can follow when you are ready.
Eleven answers your IT team and your examiner will want before signing a hosting contract. Each one mirrors the structured data this page publishes for answer engines.
2 business days or less. The scope call defines the cutover window your IT team picks. Your existing Calyx environment stays up the whole time. We provision your private Azure subscription, migrate the PointCentral database, and stage the cutover during the maintenance window of your choosing. Your loan officers log in to PointCentral on the new tenant the next morning.
No. Calyx hosting is a standalone decision. Many of our customers host PointCentral with us for years before they consolidate Microsoft 365. The door is open for that conversation when you are ready, on your timeline. Once Calyx is already with us, every other Microsoft consolidation step (Microsoft 365 takeover, Guardian standard rollout, Copilot readiness, volume discounts, one bill) becomes a much easier yes.
Your nightly backup is geo-redundant, replicated to a separate Microsoft region with 16 nines durability. ABT restores from the geo-redundant backup tier per your documented BCP plan. Zone-redundant and multi-region active failover are available as upgrade options for institutions that require continuous availability across regional outages.
AES-256 at rest under SQL Transparent Data Encryption. TLS 1.3 in transit. Customer-controlled keys in Azure Key Vault Premium. FIPS 140-3 Level 3 validated hardware-backed keys available on request via Azure Managed HSM. The Calyx database, the file shares, and the backups all use the same envelope.
Yes. Mapped to NIST CSF 2.0 six functions (Govern, Identify, Protect, Detect, Respond, Recover) and aligned with the FDIC 2026 five-domain integrated examination model. The FFIEC retired the Cybersecurity Assessment Tool on August 31, 2025; NIST CSF 2.0 is the framework examiners are now mapping community banks, credit unions, and mortgage lenders against. Environment-specific SOC 2 Type 2 attestation is provided to FI customers under NDA as part of our standard due diligence package.
Three architectural differences. First, ABT runs every PointCentral institution on private Microsoft Azure with the Microsoft Customer Agreement in your institution's name. Most other Calyx hosting in the market today is built on AWS through a SaaS-on-cloud-reseller chain, where the cloud account holding your borrower data belongs to the middle vendor, not to you. Second, ABT has been a Calyx hosting partner since 2004, earlier than any other current Calyx hosting provider. Third, ABT is a Tier 1 Microsoft Cloud Solution Provider that buys Azure directly from Microsoft, with no reseller layer in the chain. The full side-by-side comparison, including support hours, storage policy, and durability guarantees, is documented in the section above this FAQ.
The financial institution. ABT operates the platform. We do not hold or read your keys. Customer-controlled keys live in Azure Key Vault Premium, and FIPS 140-3 Level 3 hardware-backed keys are available in Azure Managed HSM on request. Key rotation, key revocation, and audit-log access stay inside your tenant, your identity boundary, and your compliance officer's reach.
Managed tenants receive Microsoft Patch Tuesday updates within the Guardian advisory cadence. Critical vulnerabilities on the CISA Known Exploited Vulnerabilities list are patched inside the CISA-published deadline, not after it. As a recent example, April 2026 Patch Tuesday covered 167 CVEs including two actively exploited zero-days; managed tenants were patched inside the CISA KEV deadline. The Guardian advisory feed publishes our patch posture and exception list on the same cadence Microsoft publishes the bulletins.
Bank Secrecy Act records 5 years (31 CFR 1010.430). NCUA vital records permanent under 12 CFR Part 749 Appendix A. Suspicious Activity Report records 5 years from filing date. Backup retention up to 10 years with customer-controlled Transparent Data Encryption. Geo-redundant storage and immutable backup vaults are available for institutions whose retention policy requires write-once-read-many guarantees.
Yes. ABT is the largest Tier 1 Microsoft CSP hosting Calyx Point and other Azure services: Microsoft 365, MortgageExchange, Guardian MxDR, Azure Virtual Desktop, and Microsoft 365 Copilot all in a single Azure tenancy. 750+ financial institutions run their Calyx and Microsoft services with us, across community banks, credit unions, and mortgage lenders. Hosting your Calyx with us is the starting point. The rest of your Microsoft footprint can follow on your timeline.
Ask every provider four questions before you sign a contract. Where does my borrower data physically live (private Microsoft Azure, AWS, or a colocation facility)? Is my SQL instance dedicated or shared with other lenders on the same database engine? What is the actual support staffing model (United States, Microsoft-certified, 24/7/365, or business hours through a help desk)? How is the relationship structured (Tier 1 Microsoft CSP direct-bill, or a reseller chain with two audit trails)? Our written buyer guide for community banks, credit unions, and mortgage lenders walks through each of those questions, the documentation an examiner will ask for, and how to put the answers on paper before you commit. Read the CISO buyer guide.
We don't charge by user. We charge by your Azure usage. New PointCentral installations start at $99 a month. That's the price for a clean install with no historical data to migrate. If you're moving from another host and want to bring your old data with you, tell us how much data you have and we'll give you an estimate. More Azure usage means a bigger plan. Less Azure usage means a smaller plan. You stay in control. If you trim old loans or archive unused files, your Azure usage drops and your plan goes down with it. We include all your Azure usage in one monthly fee. No separate Azure bill. No surprise extra charges. The rate you pay in year one is the same rate you pay in year five. Even with heavy Azure usage, our pricing is a fraction of what you'd pay on a per-user system.
Get a scoped migration plan and a live demo of the Guardian baseline. No pressure. No long sales cycle. The plan is yours to keep, whether you move forward with us or not.
