Compliance posture

SOC 2

• Type II audit covering Security and Confidentiality trust criteria — in progress, target completion Q4 2026.
• Type I report available now under NDA. Request from security@advisorscrypto.com.
• Auditor: a Big-4 accounting firm; named in the report.

Penetration testing

• Annual third-party pen test against the production API and infrastructure. Most recent: April 2026. Next scheduled: April 2027.
• Summary letter shareable under NDA; full report not externally distributed.
• Critical findings are tracked in a remediation log; nothing critical is open at the time of writing.

Data protection

• Encryption in transit: TLS 1.2+ across every external boundary. HSTS enabled.
• Encryption at rest: Postgres on Neon with AES-256 disk encryption. Application-level AES-256-CBC on sensitive fields (email, phone, 2FA secrets).
• Key material: agent API keys are stored as SHA-256 hashes; webhook secrets are stored at rest in order to sign deliveries. Both are rotated on revoke.
• Backups: daily snapshots with point-in-time recovery, retained 30 days. Restore tested quarterly.

Access controls

• Least privilege. Engineers don’t have prod customer data access by default; access is granted just-in-time, audited, and time-bound.
• MFA required on every internal system (Vercel, Neon, GitHub, custodian portals).
• Offboarding revokes within 24 hours. SCIM provisioning automates this for enterprise tenants.

Incident response

• Detection. 24/7 alerting on error budgets, anomalous auth patterns, audit-log spikes.
• Response. An on-call engineer acknowledges critical alerts within 15 minutes during business hours, 1 hour off-hours.
• Customer notification. If your data is affected, we notify in line with our regulatory obligations and the contracted SLA. Material incidents go to security@advisorscrypto.com for cross-customer coordination.

Regulatory audit trail

As an SEC-registered RIA, we maintain books and records per Rule 204-2. Agent platform activity — every guardrail decision, every attestation — is part of this substrate and retained for the regulatory minimum of 7 years.

Sub-processors

A current list of sub-processors (Neon Postgres, Vercel, DigitalOcean droplet for the backend, Schwab, Gemini, etc.) is shared under NDA on request. Notification of new material sub-processors is sent to enterprise tenants 30 days in advance.

Contact

• Security inquiries: security@advisorscrypto.com
• Vulnerability disclosure: same address. We acknowledge within 48 hours and don’t pursue good-faith research that follows responsible disclosure.
• Compliance questionnaires: same address; 5-business-day SLA.