Security
How we protect client data and why it matters.
Protocol Wealth is an SEC-registered investment adviser handling non-public personal information for ultra-high-net-worth families. The security posture described below is the baseline, not the ceiling — we treat every system we build as if client data depends on it, because it does.
Principles
Our security principles
Assume every vendor is external, even the ones we trust.
Client data is minimized, redacted, or tokenized before being routed to any third-party system, including AI model providers. Vendors don't get raw client information — they get whatever minimum is required to perform the requested task.
Client data isolation is architectural, not procedural.
Our systems enforce per-client separation at the database level, not just in application code. A query written by our engineers against the wrong tenant context fails at the database boundary before it can return data.
Every action leaves a record.
Advisor activity, system access, AI-generated analyses, and client-facing outputs are logged with timestamp, user, and context. These records are retained for the period required by SEC Rule 204-2 (five years) and are available for examination on request.
Encryption is the default state, not an option.
All client data is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher; TLS 1.3 where supported by the client). We are building toward field-level encryption for sensitive identifiers and tokens, with keys managed separately from infrastructure credentials.
Vendors
The stack
Our infrastructure uses the following vendors. Each is subject to a data-protection agreement and is selected for compatibility with our obligations under SEC Rule 204-2 and Regulation S-P.
Cloudflare
DNS, content delivery, edge security, and distributed object storage (R2). Protects against network-layer attacks and handles ingress for our platform.
Fly.io
Application hosting and compute. Runs the services that make up our platform with per-region isolation.
Neon
PostgreSQL database with per-tenant isolation. Houses client investment data, audit logs, and advisory records. Operated under Neon's SOC 2 Type II service plan.
Upstash
Redis caching and queuing infrastructure for platform operations.
Google Workspace
Email, document storage, and identity (Google SSO with MFA enforced on all advisor accounts). Google Vault retains advisor email and document history consistent with our retention schedule.
Postmark
Transactional email delivery for assessment results, client notifications, and operational alerts. Messages are sent over TLS and archived consistent with retention requirements.
Hadrius
Compliance-AI archive for social media, marketing communications, and other advertising records required under Marketing Rule 206(4)-1 and Rule 204-2.
Anthropic
Primary AI model provider (Claude family). Client non-public personal information is redacted or tokenized before routing to this vendor. A Business Associate Agreement is in progress, and our architecture preserves the ability to fall back to open-source models for sensitive workflows.
All vendors listed are US-based with data residency in US regions. We are not currently handling protected health information (PHI); our infrastructure is designed so that formal Business Associate Agreements can be executed as that capability is added to the practice.
Access
Advisor authentication and access
Advisor access to client data requires:
- Google SSO with enforced multi-factor authentication; advisor accounts must use strong authentication
- Role-based access control scoped to specific client relationships
- Session timeout on inactivity
- Device attestation for infrastructure access
Access events are logged and retained consistent with our SEC Rule 204-2 obligations. Privileged actions (changes to client records, vendor API key access, audit log review) require additional authentication.
AI Governance
AI-specific protections
Where client data is routed to AI models for analysis, our platform applies PII redaction before the external call. Named identifiers (names, account numbers, addresses, dollar amounts) are tokenized; responses are rehydrated with original data only after returning to our controlled infrastructure. The architecture is documented in our Privacy Policy's AI Services section and at pwos.app/systems.
We do not use AI to execute trades, open accounts, or modify client positions. AI is additive, not a replacement — a co-intelligence layer that supports advisor judgment. Every AI-generated artifact that would be surfaced to a client passes through Chief Compliance Officer review before release.
Contact
What to do if you have a security concern
If you suspect unauthorized access to your account
Contact your advisor immediately and email security@protocolwealthllc.com.
If you've found a potential security issue with our platform
Email security@protocolwealthllc.com. We aim to acknowledge reports within 48 hours and respond substantively within 5 business days, consistent with our obligations as an SEC-registered investment adviser.
If you're a security researcher
Our responsible disclosure policy is published at github.com/Protocol-Wealth in each repository's SECURITY.md.
Last updated: April 28, 2026. Protocol Wealth LLC is a SEC-registered investment adviser (CRD #335298). Our full regulatory disclosures are in our Form ADV Part 2A and 2B.
Registration with the SEC does not imply a certain level of skill or training. This page describes the baseline controls in place as of the date above and is provided for informational purposes; it does not create additional contractual obligations beyond those set out in our advisory agreements, Privacy Policy, and Terms of Service.
Response-time targets (48 hours for acknowledgement, 5 business days for substantive response) are internal service goals, not guarantees. Legally required notifications — including breach notifications under Regulation S-P — follow the deadlines set by the applicable rule.