Security

The technical answers your CCO and IT will ask.

WorkOS-backed authentication. US-based data residency. AES-256 at rest, TLS 1.3 in transit. SOC 2 Type 1 audit underway. Annual third-party penetration testing. This page is a reference document — not a sales page — kept current as posture changes.

Auth: WorkOS · SAML · SCIM · MFA
Hosting: AWS us-east-1, backups in us-west-2
Encryption: AES-256 at rest · TLS 1.3 in transit
Disclosure: security@wealthnavigator.com

Authentication

Identity is delegated to WorkOS.

WealthNavigator does not store passwords. The dashboard apps integrate WorkOS as the identity provider, which gives every customer SAML single sign-on, SCIM provisioning, and a hardened MFA path without us re-implementing any of it. If your firm uses Okta, Azure AD, Google Workspace, or any SAML-conformant IdP, sign-on is a configuration step on your side — not a custom integration.

Sessions are short-lived JWTs refreshed against the IdP. Access is scoped per role (advisor, ops, compliance, admin) and revocations propagate within one refresh cycle.

SSO Provider

Live

WorkOS

SAML 2.0 conformant. Tested against Okta, Azure AD, Google Workspace, JumpCloud.

Provisioning

Live

SCIM 2.0

Just-in-time and directory-driven user provisioning, group sync, deactivation on offboard.

MFA

Live

Required for all human users

TOTP and WebAuthn. Enforced at the IdP — no bypass at the app layer.

Session Lifetime

Live

30 minutes idle · 12 hours absolute

Refresh tokens rotated on every use. Compromised refresh tokens invalidate the session family.

Password Policy

Live

Delegated to your IdP

WealthNavigator does not store or set password rules — your IdP's policy is the source of truth.

Service Accounts

Live

Scoped API tokens

Per-token scopes, per-token rate limits, rotation API. No long-lived credentials in source.

Encryption · Data residency

All data encrypted at rest and in transit.

Customer data is stored in AWS us-east-1 (N. Virginia), with encrypted backups replicated to us-west-2 (Oregon). All data — primary database, object storage, message archives, search indices — is encrypted at rest with AES-256 using AWS KMS-managed keys. Each tenant's row-level data is logically separated; physical isolation is available on the RIA Team plan.

Network traffic terminates TLS 1.3 at the edge with TLS 1.2 as the minimum fallback. HSTS is enforced site-wide, and certificates rotate automatically through ACM. Internal service-to-service traffic runs over mTLS inside a private VPC.

At rest

Live

AES-256

AWS KMS-managed keys. Per-tenant DEKs wrapped by customer-region KEKs.

In transit

Live

TLS 1.3 (TLS 1.2 floor)

HSTS preload. Modern cipher suites only. Internal mTLS inside the VPC.

Primary region

Live

AWS us-east-1

N. Virginia. All customer-facing reads and writes terminate here.

Backup region

Live

AWS us-west-2

Oregon. Cross-region encrypted snapshots, daily, 30-day retention.

Key management

Live

AWS KMS · 90-day rotation

Master keys never leave KMS. Per-tenant DEKs rotate on access pattern, not on schedule.

Customer-managed keys

Live

Available on RIA Team

Bring-your-own-KMS for firms with custodial key requirements. Talk to us.

SOC 2 · Compliance posture

SOC 2 Type 1 audit underway. Type 2 to follow.

We are honest about where we are: SOC 2 Type 1 is in audit with a target report date of Q3 2026 (placeholder — confirm with sales for the current target). Type 2 observation begins immediately on Type 1 issuance and runs the standard 12-month window.

The Trust Services Criteria we are designed against from day one are Security, Availability, and Confidentiality. Processing Integrity and Privacy criteria are scheduled into the Type 2 scope. Our auditor is a registered CPA firm; the engagement letter is available under NDA.

If your firm requires evidence today (control matrix, policy index, vendor risk questionnaire), we share a security packet under NDA and answer SIG and CAIQ via security@wealthnavigator.com.

Penetration testing

Annual third-party tests. Plus on-major-release.

An independent firm performs a black-box and grey-box penetration test against the production environment annually. Any release that materially changes the auth surface, data model, or third-party integration boundary triggers an additional scoped test before general availability.

Findings are tracked in the same engineering issue tracker as functional defects, with severities mapped to a fixed-time SLA. We share the executive summary of the most recent test under NDA — raw reports remain with the auditor.

Cadence

Live

Annual + on-major-release

External firm. Production scope. Authenticated and unauthenticated paths.

Last test

Live

Q1 2026 (placeholder)

Confirm latest engagement date with your AE. Executive summary available under NDA.

Critical/High SLA

Live

Patch within 7 days

With a documented mitigation in place within 24 hours of confirmed reproduction.

Medium SLA

Live

Patch within 30 days

Or risk-accepted in writing by engineering leadership with a documented compensating control.

Continuous scanning

Live

SAST · SCA · DAST · IaC

Per-PR static, dependency, dynamic, and infrastructure-as-code scanning. Blocking on critical.

Bug bounty

In progress

Private programme

Invite-only via the disclosure address below. Public programme planned post Type 2.

Vulnerability disclosure

If you find something, tell us first.

Send security reports to security@wealthnavigator.com. We acknowledge within one business day and triage to a working severity within three. We will not pursue legal action against good-faith researchers who follow this disclosure path and avoid privacy violations, service degradation, or data exfiltration.

Encrypted reports: PGP key available at /.well-known/security.txt (placeholder — confirm the published path with your AE).

Acknowledgement: 1 business day
Initial triage: 3 business days
Status updates: Weekly while open
Coordinated disclosure: 90 days · negotiable on impact

Backup · Disaster recovery

Recoverable to a known point. Tested every quarter.

Primary database backups are encrypted, taken continuously via point-in-time recovery, and replicated cross-region every six hours. Object storage (message bodies, attachments, archive exports) is replicated cross-region within minutes of write. Restore drills are executed against a clean account once per quarter; the most recent successful drill date is in the SOC 2 packet.

Catastrophic-region failover is a manual runbook today, not an automatic event. The targets below assume that runbook executes; we do not advertise five-nines we cannot evidence.

RPO

Live

1 hour

Recovery Point Objective. Point-in-time restore granularity is 5 minutes; the conservative SLA is 1 hour.

RTO

Live

4 hours

Recovery Time Objective. Single-region failure scenario, manual runbook execution by on-call.

Backup retention

Live

30 days rolling

Daily snapshots retained 30 days. Weekly snapshots retained 90 days. Annual archive on request.

Backup encryption

Live

AES-256 · KMS

Backup encryption keys distinct from production data keys. Cross-region snapshots re-wrapped per region.

Restore drill cadence

Live

Quarterly

Full restore to an isolated AWS account, integrity-checked against application invariants.

Multi-region failover

In progress

Manual runbook

Documented in the on-call playbook. Automatic failover is on the roadmap; not promised today.

HTTP security headers

What we send on every response.

Verifiable from any HTTPS client. Run curl -I https://app.wealthnavigator.com against the dashboard to confirm.

Strict-Transport-Security

max-age=63072000; includeSubDomains; preload

HSTS preload. Two-year max-age with subdomain coverage.

Content-Security-Policy

default-src 'self'; script-src 'self' 'nonce-…'; …

Nonce-based CSP. Inline scripts and styles are nonce-locked per request.

X-Frame-Options

DENY

No framing. CSP frame-ancestors duplicates the protection for modern UAs.

X-Content-Type-Options

nosniff

Disables MIME sniffing on all responses.

Referrer-Policy

strict-origin-when-cross-origin

Internal navigation keeps full path; external requests strip path and query.

Permissions-Policy

camera=(), microphone=(), geolocation=(), payment=()

All sensitive capabilities denied. No surprise prompts.

Cross-Origin-Opener-Policy

same-origin

Process isolation for the application window.

Cross-Origin-Resource-Policy

same-site

Prevents cross-origin reads of authenticated responses.

Subprocessors

A short, named list. Reviewed quarterly.

We keep the subprocessor list short by design. Each entry is reviewed quarterly for SOC 2 / ISO certification, contractual data-protection terms, and necessity. The principal subprocessors below cover the common questions; the full list with addresses, certifications, and DPA links is maintained on the dedicated subprocessor page (placeholder route — page in build).

Material changes are announced 30 days in advance via email to the security contact on file. Customers may object in writing; objections trigger a reasonable-effort accommodation discussion before the change is enforced.

Provider Purpose Region

Amazon Web Services Compute, storage, KMS us-east-1 / us-west-2

WorkOS Identity, SSO, SCIM United States

Stripe Subscription billing United States

Postmark Transactional email United States

View the full subprocessor list →

FAQ

The rest of the technical questions.

Where is customer data stored?

Primary storage is AWS us-east-1 (N. Virginia, United States). Encrypted backups replicate to AWS us-west-2 (Oregon, United States). No customer data is processed or stored outside the United States. Data residency in other AWS regions is on the roadmap for the RIA Team plan; ask your AE for the current target.

Who at WealthNavigator can see my data?

Production data access is restricted to a small on-call rotation (currently fewer than ten engineers) and is granted just-in-time via short-lived, audited credentials. Every production query is logged with operator, query text, and rows touched. Customer support agents do not have direct database access; they operate through scoped admin tooling that records every action.

What happens if you receive a subpoena or law-enforcement request?

We require a valid US legal process (subpoena, court order, or warrant scoped to the requested data) before disclosing customer content. Where lawful, we notify the affected customer before disclosure so the customer may move to quash. Aggregate, non-identifying transparency numbers are published annually starting with the SOC 2 Type 1 report cycle.

How do I delete my data?

On contract termination, customer-controlled data is purged from primary storage within 30 days and from encrypted backups on the regular 30/90-day rotation. A signed deletion certification is provided on request. For mid-contract per-record deletions (right-to-be-forgotten requests), the SLA is 30 days from a verified request to security@wealthnavigator.com.

Are you HIPAA compliant?

No — and we will not pretend otherwise. WealthNavigator is a wealth-advisor outreach and CRM platform. We are not a covered entity, do not knowingly accept Protected Health Information, and do not sign Business Associate Agreements. If your firm runs a healthcare-related practice, this is not the right tool.

When will SOC 2 be complete?

SOC 2 Type 1 audit is in progress with a target report date of Q3 2026 (placeholder — confirm current target with your AE). Type 2 observation begins immediately on Type 1 issuance and runs the standard 12-month window. Until the report is final, we share a security packet under NDA covering the same control matrix the auditor reviews.

How do you handle GDPR / EU data subjects?

A Data Processing Addendum (DPA) is available and references Standard Contractual Clauses for any EU subject data that flows to US-resident infrastructure. We are not a controller — the advisor and the advisor's firm hold that role for client communications stored in the platform. Subject access, rectification, and erasure requests are routed to the advisor with our cooperation.

Book a walkthrough

Bringing this to your CCO?

A 20-minute walkthrough covers the architecture diagram, the security packet contents, and the questions on your specific compliance checklist. We can have your security lead on the call.

Calendar pending setup

The booking widget loads here once PUBLIC_BOOKING_PUBLIC_ID and PUBLIC_BOOKING_BASE_URL are set in .env. In the meantime, write to us directly.

Email us instead