Security
A compliance system of record has to be worthy of the name.
ETFcomply holds sensitive fund records and read-only access to your mailbox. Here is how that data is isolated, encrypted, and kept honest. We would rather describe exactly what we do today than claim a certification we have not earned.
Tenant isolation
Your firm, walled off
Every record is scoped to a single firm. Queries and role gates are checked per tenant, and the isolation is exercised by an automated test suite that runs against a live server.
Credential encryption
AES-256-GCM at rest
Administrator and email credentials are encrypted with AES-256-GCM. The plaintext of a connection secret is never stored and never leaves the boundary in the clear.
Email scopes
Read-only, nothing more
Gmail and Microsoft 365 connections request read-only scopes. ETFcomply reads and classifies documents; it cannot send, delete, or modify anything in your mailbox.
Records integrity
Append-only and hashed
The audit trail and compliance records are append-only and tamper-evident, enforced at the database. Every stored document carries a sha256 hash for integrity verification.
Document access
Signed-URL delivery
Documents are served through short-lived signed URLs rather than open links, so access to a stored file is scoped and time-bound.
Access model
Least privilege by seat
Owner, member, and read-only viewer seats keep the trust CCO or an auditor in a view-only posture while the working team retains full access.
On certifications
An honest word on where we are.
ETFcomply does not hold a SOC 2 report today. SOC 2 readiness is on the roadmap, and we will say so plainly rather than imply a certification we do not have. If your diligence needs a security questionnaire or a walkthrough of the controls above, we are glad to sit down and go through them in detail.
Nothing here is legal advice, and ETFcomply does not itself file with the SEC. It organizes, tracks, and prepares the record your compliance team owns.
Want the security detail?
We will walk your team through tenant isolation, encryption, and access controls, and answer a diligence questionnaire.