ETFcomply

Security

A compliance system of record has to be worthy of the name.

ETFcomply holds sensitive fund records and read-only access to your mailbox. Here is how that data is isolated, encrypted, and kept honest. We would rather describe exactly what we do today than claim a certification we have not earned.

Tenant isolation

Your firm, walled off

Every record is scoped to a single firm. Queries and role gates are checked per tenant, and the isolation is exercised by an automated test suite that runs against a live server.

Credential encryption

AES-256-GCM at rest

Administrator and email credentials are encrypted with AES-256-GCM. The plaintext of a connection secret is never stored and never leaves the boundary in the clear.

Email scopes

Read-only, nothing more

Gmail and Microsoft 365 connections request read-only scopes. ETFcomply reads and classifies documents; it cannot send, delete, or modify anything in your mailbox.

Records integrity

Append-only and hashed

The audit trail and compliance records are append-only and tamper-evident, enforced at the database. Every stored document carries a sha256 hash for integrity verification.

Document access

Signed-URL delivery

Documents are served through short-lived signed URLs rather than open links, so access to a stored file is scoped and time-bound.

Access model

Least privilege by seat

Owner, member, and read-only viewer seats keep the trust CCO or an auditor in a view-only posture while the working team retains full access.

On certifications

An honest word on where we are.

ETFcomply does not hold a SOC 2 report today. SOC 2 readiness is on the roadmap, and we will say so plainly rather than imply a certification we do not have. If your diligence needs a security questionnaire or a walkthrough of the controls above, we are glad to sit down and go through them in detail.

Nothing here is legal advice, and ETFcomply does not itself file with the SEC. It organizes, tracks, and prepares the record your compliance team owns.

Want the security detail?

We will walk your team through tenant isolation, encryption, and access controls, and answer a diligence questionnaire.

Request accessaccess@etfcomply.com