πŸ”’
Security & Trust Center

Enterprise-grade protection for your retirement plan data

βœ“

All Systems Secure

Your data is protected with enterprise-grade security and never used for AI training.

πŸ”Œ API-First Architecture β€” Not a Chatbot

This application connects to enterprise AI APIs, not consumer chatbots like ChatGPT.com or Claude.ai. Your data is never used for training, never stored in shared conversation logs, and never reviewed by humans.

How Your Data is Protected
πŸ“„
Your Data
β†’
πŸ”
TLS 1.3
β†’
☁️
Cloudflare
β†’
πŸ€–
AI Analysis
β†’
πŸ—‘οΈ
Auto-Delete
Core Security Features
🚫
Zero Training Guarantee
No AI provider uses your inputs or outputs to train models. Contractually guaranteed.
πŸ”
End-to-End Encryption
AES-256 at rest, TLS 1.3 in transit. Encrypted at every stage.
⏱️
Minimal Retention
AI providers retain data 7-30 days max, then permanently delete.
πŸ‘οΈβ€πŸ—¨οΈ
No Human Review
Unlike consumer chatbots, your conversations are never reviewed by humans.
Compliance Certifications
πŸ†
SOC 2Type II Certified
🌐
ISO 27001Information Security
πŸ›οΈ
FINRASEC 17a-4
πŸ₯
HIPAABAA Available
πŸ‡ͺπŸ‡Ί
GDPRCompliant
πŸ‡ΊπŸ‡Έ
CCPACompliant
πŸ’‘ Tip: See the DOL Compliance tab for detailed responses to all 12 DOL Cybersecurity Best Practices requirements.

The Department of Labor's EBSA released Cybersecurity Program Best Practices guidance in April 2021, updated September 2024. Below we address each of the 12 requirements.

πŸ“‹ DOL EBSA Cybersecurity Best Practices

"Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks."
β€” U.S. Department of Labor, EBSA

The 12 DOL Requirements

DOL Requirement: Organizations should have a formal program that identifies and assesses cybersecurity risks.

βœ“ Waivz.ai Response:

All AI providers (Anthropic, OpenAI, Google) and infrastructure providers (Cloudflare, Box) maintain formal, documented cybersecurity programs with published security whitepapers and trust centers.

DOL Requirement: Conduct risk assessments to identify and prioritize information system risks.

βœ“ Waivz.ai Response:

Our AI providers conduct continuous risk assessments and publish annual SOC 2 reports documenting their risk management processes.

DOL Requirement: Have an independent auditor assess security controls.

βœ“ Waivz.ai Response:

All providers maintain current SOC 2 Type II certifications from independent auditors. Reports available under NDA via each provider's trust center.

DOL Requirement: Cybersecurity must be managed at senior executive level (CISO).

βœ“ Waivz.ai Response:

Anthropic, OpenAI, and Google all employ dedicated CISOs and security teams with industry certifications.

DOL Requirement: Implement MFA, role-based access, unique strong passwords.

βœ“ Waivz.ai Response:

API keys are secured in Cloudflare Workers with encrypted secrets management. All provider dashboards support MFA.

DOL Requirement: Cloud assets must be subject to security reviews and independent assessments.

βœ“ Waivz.ai Response:

All cloud providers maintain SOC 2 Type II, ISO 27001. Box.com is certified for FINRA SEC 17a-4. Google holds FedRAMP High.

DOL Requirement: Conduct annual cybersecurity awareness training for all personnel.

βœ“ Waivz.ai Response:

All AI providers require annual security training. This Security Center serves as user education on data protection.

DOL Requirement: Implement secure SDLC with penetration testing and code review.

βœ“ Waivz.ai Response:

AI providers conduct annual penetration tests, continuous code review, and maintain vulnerability management programs.

DOL Requirement: Maintain business resiliency with continuity and incident response plans.

βœ“ Waivz.ai Response:

All providers maintain documented incident response plans. Cloudflare provides global redundancy across 300+ data centers.

DOL Requirement: Implement encryption for data at rest and in transit.

βœ“ Waivz.ai Response:

In Transit: TLS 1.3 encryption. At Rest: AES-256 encryption across all providers.

DOL Requirement: Implement firewalls, intrusion detection, antivirus, patch management.

βœ“ Waivz.ai Response:

Cloudflare provides enterprise WAF, DDoS protection, and bot management. All systems maintain current security patches.

DOL Requirement: When breaches occur, inform law enforcement, notify affected participants, fix problems.

βœ“ Waivz.ai Response:

All providers maintain documented breach response procedures with defined notification timelines.

πŸ“„ Documentation: For fiduciary due diligence, SOC 2 reports are available under NDA from each provider's trust center.

We use enterprise API tiers from the leading AI providers. Your data is never used for training and has strict retention limits.

Consumer Chatbot vs. Enterprise API
Security AspectConsumer ChatbotsEnterprise API (What We Use)
Training on your data❌ May train on conversationsβœ“ NEVER trains on your data
Data retention❌ Stored indefinitelyβœ“ 7-30 days max, then deleted
Human review❌ May review for qualityβœ“ No human review of content
Privacy policies❌ Consumer privacy termsβœ“ Enterprise DPA / BAA available
Compliance❌ Limited certificationsβœ“ SOC 2, ISO 27001, HIPAA-ready
Our AI Providers

Anthropic Claude

Claude Sonnet 4 API
SOC 2 Type IIISO 27001HIPAA
  • Zero Data Retention (ZDR) option
  • No training on API data β€” ever
  • 30-day max retention

OpenAI GPT

GPT-4o / GPT-4 API
SOC 2 Type IIISO 27001ISO 27701
  • No training on API data by default
  • Data Processing Addendum (DPA)
  • Enterprise Key Management

Google Gemini

Gemini 2.0 Flash API
SOC 1/2/3ISO 27001FedRAMP High
  • No training on customer data
  • ISO 42001 AI Management
  • HIPAA BAA available
Document Storage

Enterprise-Grade Document Storage

When documents are stored, they reside in Box.com's secure cloud with automatic retention policies and encryption.

FINRA SEC 17a-4SOC 1/2/3ISO 27001HIPAAFedRAMP

Understanding how your data moves through the system helps verify our security claims.

Secure Processing Pipeline
How Your Data Flows
πŸ“„
Your Document
Stays on device
β†’
πŸ–₯️
Browser
Text extraction
πŸ”’β†’
☁️
Cloudflare
Secure proxy
πŸ”’β†’
πŸ€–
AI Analysis
No retention
β†’
πŸ“Š
Results
To your browser
What Happens at Each Stage
1. Your Document β€” Files are processed locally in your browser. The original file never leaves your device.
2. Browser Processing β€” PDF parsing and text extraction happen entirely in your browser using JavaScript.
3. Cloudflare Workers β€” Your request passes through Cloudflare's secure edge network. API keys are encrypted secrets.
4. AI Provider β€” The AI processes your request. Data retained only 7-30 days for abuse monitoring.
5. Results β€” Analysis results return to your browser. You control what happens next.
⚠️ Important: Original files are NOT uploaded. Only extracted text content is sent for analysis.
Frequently Asked Questions

No. We use enterprise API tiers. All providers explicitly state that API data is NOT used to train models. Contractually guaranteed.

AI providers retain data for 7-30 days for abuse monitoring, then permanently delete. Anthropic offers Zero Data Retention.

No. Enterprise API data is NOT subject to human review. Only automated abuse detection processes the data.

PII is handled with extreme care. Census files are processed locally when possible. We never store SSNs. All PII in transit uses TLS 1.3.

Documents are processed locally in your browser. Only extracted text is sent β€” original files never leave your device.

Our infrastructure relies on SOC 2 Type II certified providers: Cloudflare, Anthropic, OpenAI, Google, and Box.com all maintain current certifications.

Anthropic: SOC 2 Type II, ISO 27001, HIPAA
OpenAI: SOC 2 Type II, ISO 27001/27017/27018/27701
Google: SOC 1/2/3, ISO 27001, FedRAMP High, HIPAA
Box: SOC 1/2/3, ISO 27001, FINRA SEC 17a-4, FedRAMP

πŸ”— Anthropic Trust πŸ”— OpenAI Trust πŸ”— Google Security πŸ”— Box Trust