Schedule A — Security & Compliance
Compliance-first,
not bolted on.
Wealth-management data — SSNs, account numbers, trust structures, beneficiaries — is the default tenant of this system. The posture table below is what we hand to procurement teams during evaluation.
Article I — Security & Compliance Posture
| Category | Detail |
|---|---|
| SOC 2 Type II | In progress (target: Q4 2026) — interim controls documented and available for review |
| Encryption at rest | AES-256-GCM via app-layer envelope (src/lib/crypto/envelope.ts), HKDF-derived per-record keys |
| Encryption in transit | TLS 1.3 enforced on all external hops; HSTS preload eligible |
| Data residency | United States — Supabase US-East |
| Sub-processors | Supabase, Vercel, Anthropic, OpenAI (gated), Resend |
| Training-data policy | We do not train external models on your data. ZDR (zero data retention) agreements in force with Anthropic and OpenAI |
| BAA available | On request for HIPAA-adjacent firms |
| Breach notification SLA | 72 hours from confirmation, to the firm's designated contact |
| Audit logs | Immutable, WORM-enforced per ADR-026 |
| RLS scope | Per-org isolation enforced at every read path |
| Consent gate | Per-org opt-in for third-party AI (ADR-012); fail-closed default |
Article II — Sub-Processors
The following sub-processors may handle firm data under the agreements referenced in Article I.
| Vendor | Purpose | Status |
|---|---|---|
| Supabase | Database, auth, storage | Required |
| Vercel | Application hosting, edge runtime | Required |
| Anthropic | AI inference (consent-gated) | Opt-in |
| OpenAI | AI inference (consent-gated, optional) | Opt-in |
| Resend | Transactional email (notifications, invites) | Required |
Article III — What You Can Ask Us For
Procurement, compliance, and InfoSec teams routinely request the following. Each is returned within one business day to a verified firm contact.
- § 3.01Security Brief (PDF)
- § 3.02Sample DPA
- § 3.03Sub-processor list (this page)
- § 3.04Penetration test summary
Article IV — Open Security Tests
The undersigned attests that
§ 4.01DocumentBoost ships with 67 unit tests on the trust boundary — covering the third-party AI consent gate, anti-CSRF origin checks, application startup invariants, and notification fan-out authorization. These tests run on every commit; a failing trust test blocks the deploy.
§ 4.02The full quality-gate test suite numbers in the hundreds and executes in under two seconds. Pass/fail counts are part of every release note.
Article V — Data Subject Rights
Households and individuals whose data is processed by DocumentBoost on behalf of a firm may exercise access, correction, and deletion rights through the firm. Firm-side admins can export and delete tenant data through the platform. Underlying records are retained only as required by SEC books-and-records rules.
Procurement teams: for the full vendor due-diligence packet, data-flow diagram, and sub-processor agreements, contact us.
Authorized Signature