Security — AdvisorOS

AdvisorOS is designed from the ground up for Registered Investment Advisers (RIAs) operating under SEC and FINRA oversight. We understand that your client data is not just sensitive — it is subject to specific regulatory recordkeeping and privacy requirements. This page explains exactly how we protect it.

1. Data Encryption

All data within AdvisorOS is encrypted at every stage of its lifecycle.

🔒

At Rest

All stored data — including meeting recordings, transcripts, CRM notes, and audit logs — is encrypted using AES-256, the same standard used by financial institutions and government agencies.

🔐

In Transit

All data transmitted between your browser, our servers, and third-party integrations is protected by TLS 1.2 or higher. Unencrypted HTTP connections are rejected.

💳

Payment Data

All billing is handled by Stripe, a PCI DSS Level 1 certified processor. AdvisorOS never stores, transmits, or has access to your full credit card numbers.

🔑

API Credentials

CRM integration tokens and API keys are stored encrypted at rest and are never exposed in logs, error messages, or support interfaces.

2. Access Controls

Access to your data is strictly limited — both within your firm and within AdvisorOS.

Role-Based Access (RBAC): Within your AdvisorOS account, you control which team members can view, edit, or approve AI-generated content. No data is shared across firm accounts.
Multi-Factor Authentication (MFA): MFA is enforced for all AdvisorOS internal personnel who have access to production systems.
Least Privilege Principle: AdvisorOS employees are granted only the minimum level of system access required to perform their job functions. Access is reviewed and revoked when roles change.
No Cross-Account Data Access: Your client data is logically isolated from all other AdvisorOS customers. No data is shared, pooled, or accessible across firm boundaries.

3. Immutable Audit Log

Every AI-assisted action taken within AdvisorOS is recorded in a tamper-proof audit log — a core feature designed to support your SEC Rule 204-2 (Books and Records) obligations.

📋 Sample Audit Log Entries

2026-03-21 09:14:02 Pre-meeting brief generated for J. Martinez — Annual Review Immutable

2026-03-21 10:47:33 Meeting transcript uploaded and processed — 47 min recording Encrypted

2026-03-21 10:52:11 AI-generated CRM note approved by advisor J. Smith Immutable

2026-03-21 11:03:45 Follow-up email draft reviewed and sent to J. Martinez Immutable

Every log entry records the timestamp, the action taken, the AI input, the AI output, and the advisor who reviewed and approved it.
Audit logs cannot be edited or deleted — not by advisors, not by AdvisorOS staff.
Logs are retained for the duration of your account and are available for export to support SEC examination requests.

The audit log is designed to demonstrate the "Human-in-the-Loop" review process required by your firm's compliance policies. Every AI-generated output that is approved and used is traceable to a specific advisor action.

4. AI Data Isolation — No Training on Your Data

AdvisorOS will never use your client data — including recordings, transcripts, CRM notes, or generated outputs — to train, fine-tune, or improve any AI model.

AdvisorOS uses enterprise-grade API endpoints from Large Language Model providers (such as OpenAI and Anthropic). Our agreements with these providers include strict data processing terms:

Your data is used only for inference — generating the output you requested.
LLM providers do not retain your data for model training under our enterprise agreements.
No client PII, financial data, or meeting content is used to improve any shared or public AI model.

5. Infrastructure & Hosting

Cloud Provider: AdvisorOS is hosted on enterprise-grade cloud infrastructure (AWS and/or Google Cloud) in the United States.
Data Residency: All client data is stored and processed within the United States.
Backups: Data is backed up regularly with point-in-time recovery capabilities to prevent data loss.
Uptime: We target 99.9% uptime. Planned maintenance windows are communicated in advance via email and in-app notice.

6. Incident Response

In the event of a confirmed security incident that affects your data, AdvisorOS will:

Notify affected customers by email within 72 hours of confirming the incident.
Provide a clear description of what data was affected, the scope of the incident, and the steps taken to contain it.
Work with you to assess whether the incident triggers any notification obligations under Regulation S-P or applicable state breach notification laws.

To report a suspected security vulnerability, contact us immediately at security@advisoros.com.

7. Your Responsibilities

Security is a shared responsibility. To maintain the integrity of your account and your clients' data, you are responsible for:

Keeping your account credentials confidential and not sharing login access.
Enabling MFA on your AdvisorOS account when available.
Ensuring that team members who leave your firm have their AdvisorOS access revoked promptly.
Obtaining the necessary client consents before uploading meeting recordings or transcripts that contain client PII.
Reviewing all AI-generated outputs before approving them for use in client communications or compliance records.

8. Contact Security

For security-related questions, vulnerability disclosures, or to request a copy of our data processing agreement (DPA), contact our security team directly:

Email: admin@vividjourney.com

For general privacy questions, see our Privacy Policy. For terms of use, see our Terms of Service.

Built for Regulated Environments