Security and compliance

We design and operate eInvestment Dashboard with security and privacy as default-on properties, not add-ons. Our goal is to be a service that financial professionals, founders, and individual investors can rely on to handle research data, watchlists, and (optionally) brokerage links with the same care they would expect from any trusted infrastructure provider.

In transit

All connections between your browser, our application, our API, and our subprocessors are encrypted using TLS 1.2 or higher with modern cipher suites. HSTS is enabled on production domains.

At rest

Production databases use full-disk encryption. Sensitive credentials such as third-party API tokens and brokerage access tokens are stored separately from user-visible data and are encrypted with a separate key wrapped by our key-management service.

Backups

We take encrypted database backups on a daily schedule and retain them for at least 30 days. Backups are tested by automated restore on a recurring cadence.

Network

Our application services run inside a private network with public traffic terminating at a hardened reverse proxy. We use firewall rules, DDoS protection, and rate limiting to mitigate abuse.

• Production access requires single sign-on with hardware-backed second factor.
• We follow the principle of least privilege: engineers receive only the access necessary for their role, and access is reviewed quarterly.
• All production database queries from staff are logged and audited.
• Code changes are reviewed by at least one engineer other than the author before deployment.
• Administrative actions in the platform are recorded in an internal audit log with actor, action, IP, and timestamp.

We work with a small set of well-known subprocessors to operate the Service. We require each to implement appropriate technical and organizational measures and to enter into a data-processing agreement that addresses GDPR, UK GDPR, and CCPA obligations. The current list of subprocessors is published in our Privacy Policy.

If you are an EEA, UK, or Swiss-based business customer, we are happy to sign a DPA. Please contact legal@einvestmentdashboard.com with your template or to request ours.

We maintain a written incident-response plan covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting your data, we will notify affected customers without undue delay and in any event within the timelines required by applicable law.

You can report a suspected security incident to security@einvestmentdashboard.com at any time.

We welcome reports from security researchers. If you believe you have found a security vulnerability in the Service, please email security@einvestmentdashboard.com with:

• A description of the issue and its impact.
• The steps required to reproduce.
• Any proof-of-concept code, screenshots, or logs (please do not share them publicly).

Please give us a reasonable opportunity to investigate and remediate before any public disclosure. We do not currently operate a paid bug-bounty program, but we will publicly credit researchers who request it (after the issue is resolved). We will not pursue legal action against good-faith researchers who comply with this policy.

We are working toward independent audit and certification of our security program. Our current status:

• SOC 2 Type II: in progress; targeted within the first 12 months of public availability.
• ISO/IEC 27001: we operate an ISMS aligned with ISO 27001 controls; certification roadmap to follow SOC 2.
• GDPR / UK GDPR: we operate as a controller for personal data we collect from end users and have implemented the Article 32 controls applicable to our processing.
• CCPA / CPRA: we honor the rights described in our Privacy Policy for California residents.

Customers under NDA can request a copy of our security questionnaire response, penetration-test summary, and (when available) SOC 2 report from legal@einvestmentdashboard.com.

We design for graceful degradation. Stateless components run with redundancy, background workers can be restarted without data loss, and our database supports point-in-time recovery. We aim for 99.9% monthly availability of the customer-facing API and publish known incidents on our status page.

• Payments: all card data is collected and processed by Stripe. We never see, store, or transmit raw card numbers; PCI scope is limited to redirect-based integration.
• Brokerage data (Plaid): when you opt in to brokerage linking, we receive read-only data via Plaid under their financial-data integration framework. We do not store your brokerage credentials.
• Marketing communications: we comply with CAN-SPAM and the EU ePrivacy Directive. Marketing emails always include an unsubscribe link; transactional email is sent only when needed to operate the Service.

For security questions, vendor risk reviews, or DPAs, contact legal@einvestmentdashboard.com. For suspected security issues, please use security@einvestmentdashboard.com.