Enterprise-grade protection for your retirement plan data
β
All Systems Secure
Your data is protected with enterprise-grade security and never used for AI training.
π API-First Architecture β Not a Chatbot
This application connects to enterprise AI APIs, not consumer chatbots like ChatGPT.com or Claude.ai. Your data is never used for training, never stored in shared conversation logs, and never reviewed by humans.
How Your Data is Protected
π
Your Data
β
π
TLS 1.3
β
βοΈ
Cloudflare
β
π€
AI Analysis
β
ποΈ
Auto-Delete
Core Security Features
π«
Zero Training Guarantee
No AI provider uses your inputs or outputs to train models. Contractually guaranteed.
π
End-to-End Encryption
AES-256 at rest, TLS 1.3 in transit. Encrypted at every stage.
β±οΈ
Minimal Retention
AI providers retain data 7-30 days max, then permanently delete.
ποΈβπ¨οΈ
No Human Review
Unlike consumer chatbots, your conversations are never reviewed by humans.
Compliance Certifications
π
SOC 2Type II Certified
π
ISO 27001Information Security
ποΈ
FINRASEC 17a-4
π₯
HIPAABAA Available
πͺπΊ
GDPRCompliant
πΊπΈ
CCPACompliant
π‘ Tip: See the DOL Compliance tab for detailed responses to all 12 DOL Cybersecurity Best Practices requirements.
We use enterprise API tiers from the leading AI providers. Your data is never used for training and has strict retention limits.
Consumer Chatbot vs. Enterprise API
Security Aspect
Consumer Chatbots
Enterprise API (What We Use)
Training on your data
β May train on conversations
β NEVER trains on your data
Data retention
β Stored indefinitely
β 7-30 days max, then deleted
Human review
β May review for quality
β No human review of content
Privacy policies
β Consumer privacy terms
β Enterprise DPA / BAA available
Compliance
β Limited certifications
β SOC 2, ISO 27001, HIPAA-ready
Our AI Providers
Claude
Anthropic Claude
Claude Sonnet 4 API
SOC 2 Type IIISO 27001HIPAA
Zero Data Retention (ZDR) option
No training on API data β ever
30-day max retention
GPT
OpenAI GPT
GPT-4o / GPT-4 API
SOC 2 Type IIISO 27001ISO 27701
No training on API data by default
Data Processing Addendum (DPA)
Enterprise Key Management
Gemini
Google Gemini
Gemini 2.0 Flash API
SOC 1/2/3ISO 27001FedRAMP High
No training on customer data
ISO 42001 AI Management
HIPAA BAA available
Document Storage
Box
Enterprise-Grade Document Storage
When documents are stored, they reside in Box.com's secure cloud with automatic retention policies and encryption.
FINRA SEC 17a-4SOC 1/2/3ISO 27001HIPAAFedRAMP
π How Your Data Flows
Understanding exactly what data is sent where gives you confidence in our security architecture.
Secure Processing Pipeline
π
Your Document
Stays on device
β
π₯οΈ
Browser
Text extraction
πβ
βοΈ
Cloudflare
Secure proxy
πβ
π€
AI Analysis
No retention
β
π
Results
To your browser
π¦ What Data Is Sent
β
Text Content Only
Only extracted text is sent to AI providers. Original PDF/Excel files are never uploaded to external servers.
π
Encrypted in Transit
All data uses TLS 1.3 encryption between your browser and our servers, and between our servers and AI providers.
π‘οΈ
API Keys Protected
Your API keys are stored securely in Cloudflare Workers. They never touch your browser or frontend code.
β οΈ Important: Original files are NOT uploaded. Only extracted text content is sent for analysis.
π Document Storage Security
Box
Enterprise-Grade Document Storage
When documents are stored (optional), they reside in Box.com's secure cloud with automatic retention policies, audit trails, and encryption at rest.
FINRASOC 1/2/3ISO 27001HIPAAFedRAMP
π
AES-256 Encryption
All stored documents are encrypted at rest using AES-256 encryption with Box-managed keys.
π
Full Audit Trail
Every access, modification, and download is logged with timestamps and user identification.
ποΈ
FINRA SEC 17a-4
Compliant with financial services record-keeping requirements for broker-dealers and RIAs.
π‘ Storage is Optional
Many (k) Suite applications process data entirely in your browser without storing anything externally. When storage is needed (e.g., for prep packages or audit trails), Box.com provides enterprise-grade security. You control what gets stored.
βοΈ Regulatory Compliance
βοΈ
ERISA
Designed for fiduciary compliance. Full audit trails document prudent processes. No PII leaves your control without explicit action.
ποΈ
FINRA / SEC
Box storage meets SEC 17a-4 requirements for record retention. Automated retention policies and legal holds supported.
π
DOL Cybersecurity
Aligned with DOL's cybersecurity guidance for plan fiduciaries. Encryption, access controls, and incident response documented.
πͺπΊ
GDPR
Data minimization by design. No unnecessary retention. Clear data processing purposes. DPA available from AI providers.
β TPA Compliance Checklist
π Security Controls Implemented
β No PII stored on external AI servers
β Encrypted data transmission (TLS 1.3)
β No AI training on plan data
β SOC 2 Type II certified providers
β Audit logging for all transactions
β Role-based access controls
π Documentation: For fiduciary due diligence, SOC 2 reports are available under NDA from each provider's trust center.
β Frequently Asked Questions
No. We use enterprise API tiers. All providers explicitly state that API data is NOT used to train models. Contractually guaranteed.
AI providers retain data for 7-30 days for abuse monitoring, then permanently delete. Anthropic offers Zero Data Retention.
No. Enterprise API data is NOT subject to human review. Only automated abuse detection processes the data.
PII is handled with extreme care. Census files are processed locally when possible. We never store SSNs. All PII in transit uses TLS 1.3.
Documents are processed locally in your browser. Only extracted text is sent β original files never leave your device.
Our infrastructure relies on SOC 2 Type II certified providers: Cloudflare, Anthropic, OpenAI, Google, and Box.com all maintain current certifications.
Anthropic: SOC 2 Type II, ISO 27001, HIPAA OpenAI: SOC 2 Type II, ISO 27001/27017/27018/27701 Google: SOC 1/2/3, ISO 27001, FedRAMP High, HIPAA Box: SOC 1/2/3, ISO 27001, FINRA SEC 17a-4, FedRAMP