Security & Trust
Your clients' data deserves
institutional-grade protection.
AdvisorIQ protects your data with firm-level isolation, end-to-end encryption, comprehensive audit logging, and zero use of your data for AI training.
Security architecture
Defense in depth, not a single lock
Multiple independent layers of protection ensure that no single point of failure can compromise your data.
Authentication & Access
Multi-layer identity verification with role-based access control ensures only authorized advisors reach their data.
- JWT authentication via Supabase Auth
- Email verification required for all accounts
- Role-based access control (Admin / Advisor)
- Session validation on every API request
Data Isolation & Encryption
Every query is scoped to your firm. Encryption protects data at rest and in transit across every layer.
- Firm-level isolation on every API endpoint
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Signed document URLs with 20-minute expiration
Audit & Compliance
Timestamped records of every interaction — designed for transparency and accountability.
- Timestamped audit logs for all AI queries and responses
- Activity history scoped per firm
- Breach notification commitment documented in our Privacy Policy
Infrastructure partners
Built on a certified foundation
We chose our technology partners for their security track record. Core infrastructure components are backed by independently audited, certified providers.
Google Cloud Platform
Document Storage
Client documents are stored and served from Google Cloud Storage with managed encryption and global compliance certifications.
Supabase
Authentication & Identity
Handles user authentication, JWT token issuance, and email verification with enterprise-grade security practices.
Paddle
Payment Processing
All payment processing is handled by Paddle. We never store, process, or transmit credit card data.
Anthropic
AI Provider
AI queries are processed in real-time. Your data is never used to train, fine-tune, or improve AI models.
In practice
The details matter
How we protect your data at every layer of the stack — from API requests to document storage.
Firm-Level Data Isolation
Every API query is scoped to your firm. Advisor A cannot see Advisor B's data, even within the same database. This isolation is enforced at the application layer on every single endpoint — not as an afterthought, but as a foundational architecture decision.
- Every database query filters by firm_id
- Document access restricted to your firm
- Activity logs scoped per firm
- No shared data surfaces between tenants
100%
endpoint coverage
Encryption at Every Layer
Your data is encrypted both in transit and at rest. Documents are never publicly accessible — every download requires a cryptographically signed URL that expires in minutes, not hours.
- TLS 1.3 for all data in transit
- AES-256 encryption for all data at rest
- Signed document URLs with 20-minute TTL
- No raw credentials stored in application logs
AES-256
encryption standard
Comprehensive Audit Trail
Every query, every response, every citation is timestamped and stored. Designed to support your firm's compliance and record-keeping needs.
- Timestamped records of all AI queries and responses
- Activity logs scoped per firm for review
- Citation tracking tied to source documents
- Application-level write-only logging for query history
Every
query logged
AI Data Handling
Your data is never used to train AI models. Queries are processed in real-time and are not retained by AI providers. Payment data never touches our servers.
- Zero data used for AI model training
- Real-time processing, no provider retention
- No credit card data stored (Paddle handles payments)
- HMAC-verified webhook security for billing events
Zero
data used for training
Regulatory alignment
Built for regulated professionals
Comprehensive legal documentation that meets the standards your compliance team expects.
Security FAQ