Encryption at Rest
All stored data — meeting notes, transcripts, client records — is encrypted using AES-256. Keys are managed separately from data stores and rotated periodically.
AES-256-GCM at rest
Security & Compliance
Built for the obligations of a fiduciary.
RIAs operate under strict recordkeeping requirements. We designed Advisorbriefs with those obligations in mind from day one — not as an afterthought.
Our Approach
Security is not a feature. It's the foundation.
Every independent RIA who adopts a new technology tool is making a compliance decision, not just a productivity one. The documentation you create with Advisorbriefs is subject to the same recordkeeping requirements as anything else in your practice records. We take that seriously.
Data Handling
How we handle your data
Encryption in Transit
All data in transit between your device, our servers, and CRM integrations uses TLS 1.3. We enforce HSTS and reject older protocol versions.
TLS 1.3 minimum, HSTS enforced
Audio Deletion Policy
Meeting audio is processed in an isolated compute environment. The audio file is deleted immediately after transcription is complete. We do not retain audio recordings.
Audio deleted post-transcription
Data Residency
All data is stored and processed in US-based infrastructure. No client data is transferred to non-US jurisdictions. Storage is in US-East regions on AWS.
US data residency — AWS US-East
Compliance Architecture
Designed to support your recordkeeping obligations.
We do not make regulatory compliance claims on your behalf. What we do is build the infrastructure that supports the documentation practices your compliance program requires. Here is what that looks like in practice.
SEC Rule 17a-4 Recordkeeping
Notes generated by Advisorbriefs include the metadata elements — date, time, attendees, material disclosures discussed — that adviser records are designed to support. Built with SEC Rule 17a-4 recordkeeping requirements in mind.
FINRA Rule 4511 Alignment
Advisorbriefs' note structure and audit trail architecture are designed with FINRA Rule 4511 recordkeeping requirements in mind. Notes are immutable post-creation; edits create versioned history, not overwrites.
Audit Trail
Every note carries an immutable creation record: timestamp, session ID, advisor user, attendee list, and meeting duration. Any subsequent edit creates a versioned history entry — original plus all revisions are preserved.
Adviser Custody Records
Designed to support adviser custody record requirements. Client interaction records include all fields typically required for an examination request response — organized and retrievable by client, date, and advisor.
Compliance language note: Advisorbriefs is designed to support compliance with SEC and FINRA recordkeeping requirements. We do not represent that use of Advisorbriefs constitutes compliance with any specific regulation. RIAs should evaluate tool adoption decisions with their own compliance counsel.
SOC 2 Roadmap
SOC 2 Type II audit in progress.
We are currently implementing the controls required for SOC 2 Type II certification. Our audit is scheduled for Q4 2026. We will publish the report for review by any prospect or client who requests it.
In the meantime, we are happy to walk through our current control implementation with any advisor who wants a detailed security review before adopting the platform.
Request a security walkthrough
Access Controls
Who can see what
Role-Based Access
Each user in a practice account has a defined role. Advisors see their own meeting notes; practice principals can view all notes across the practice. Roles are configured during onboarding.
Audit Log
Every login, note creation, edit, and sync action is logged with user identity, timestamp, and action type. Audit logs are read-only and available for export on request.
SSO (Roadmap)
SAML-based SSO integration is on the roadmap for Q1 2027. Currently, authentication is via email + password with mandatory MFA. Password resets go through your registered email.
Multi-Factor Authentication
MFA is mandatory for all Advisorbriefs accounts. We support TOTP apps (Google Authenticator, Authy) and SMS backup. Session tokens expire after 8 hours of inactivity.
Responsible Disclosure
Found a vulnerability?
If you have found a potential security issue in Advisorbriefs, please contact us at [email protected]. Please include a description of the issue, steps to reproduce, and the potential impact. We will respond within 48 hours.
We ask that you not publicly disclose a vulnerability until we have had a reasonable opportunity to investigate and address it. We do not currently offer a bug bounty program, but we take every submission seriously and will acknowledge your contribution.
Questions about our security posture?
Talk to our team. We are happy to walk through our data handling, access controls, and compliance architecture in detail before you decide to adopt.
Talk to our team