Verifiable Proof
Don't take our word for it.
Most of what a firm says about its technology and its controls has to be taken on faith. These claims do not. Each item below is something you can check against an outside source — the public npm registry, a live server, the open-source code, the USPTO, or our own regulatory pages.
"Verify, don't trust" is the organizing idea behind how Protocol Wealth publishes its work. Where a claim can be made checkable, we make it checkable and link to where you can check it. Where something is aspirational or not yet true, we say so on this page rather than imply otherwise.
Nothing here is a performance claim or a projection about investment results. It is a description of the firm's systems and posture, with the source you can inspect for each one.
The open system
The substrate is published and running. You can inspect it or call it yourself.
Open-source packages on npm
Packages published under the @protocolwealthos scope live on the public npm registry (roughly twenty at last count; the registry is the live source of truth as we publish more). Anyone can install and read them.
Search the npm registryA live public MCP research server
nexus-core research and scoring tools run as a public, read-only Model Context Protocol server over HTTP. Any MCP-compatible client — Claude, GPT, Gemini, or an agent platform — can call it. This is compatibility with an open standard, not an integration, partnership, or endorsement of any third party.
Call nexusmcp.site/mcpA SHA-256 hash-chained audit log
The open-source audit-log primitive builds an append-only record in which each entry is chained to the previous one with a SHA-256 hash, so tampering is detectable after the fact. The source is public — read the implementation, do not take our word for it.
Read pwos-core on GitHubHow your data is handled
The privacy and custody posture, and where each claim is documented.
Anthropic Zero-Data-Retention
AI inference runs under an Anthropic Zero-Data-Retention agreement in a US region — prompts and outputs are not retained by the provider and are not used to train its models. Anthropic, Google Gemini (brokered advisor graphics), and OpenAI Whisper (advisor voice-memo transcription) are the disclosed AI subprocessors.
See the subprocessor listNon-custodial by architecture
Protocol Wealth does not take custody of client assets and does not hold client private keys — the client controls their own keys. The Turnkey self-custody model passed a live acceptance test before production use.
Read Custody & ControlClient identifiers kept out of the AI models
The planning and analysis pipeline is built to exclude client identifiers from the AI models by construction, with an independent PII egress check as a backstop. The primitive that enforces it is open source.
Inspect the pii-guard sourceThe firm posture
Patents, security framework, and records retention — stated plainly, including what is not yet claimed.
Three provisional patents — patent pending
Protocol Wealth has filed three provisional patent applications with the USPTO (PWOS, Nexus, and the planning engine), all defensive. "Patent pending" means applications are on file, not that any patent has been granted.
See the patent disclosureISO/IEC 27001:2022-aligned — not certified
The firm maintains an ISO/IEC 27001:2022-aligned Information Security Management System, with a Statement of Applicability and Risk Register. This is an internal control framework and diligence artifact. Protocol Wealth is not ISO 27001 certified.
Read the security postureSOC 2 readiness path; penetration test planned
Protocol Wealth does not hold a firm-level SOC 2 report today; it relies on vendor SOC 2 reports where appropriate and maintains a readiness path. A formal external penetration test is planned but not yet completed.
See current limitationsSeven-year append-only WORM archive
Audit records are written to a seven-year, append-only WORM (write-once, read-many) archive, designed to support books-and-records retention (SEC Rule 204-2 for the adviser, and the broker-dealer WORM standard under SEC Rule 17a-4 where it applies through our broker-dealer relationship). The design supports the obligation; it is not a claim that the tool itself satisfies any rule.
Read the security postureIn plain terms
What this page is not
- It is not a performance record, a projection, or any statement about investment results.
- It is not a certification. The ISMS is ISO/IEC 27001:2022-aligned, not certified, and there is no firm-level SOC 2 report today.
- It is not a completed audit. The external penetration test is planned but not yet done.
- "Patent pending" means applications are on file with the USPTO, not that any patent has been granted.
- Publishing source code and offering a public MCP server describes what we have built; it is not a software product for sale. Protocol Wealth is an SEC-registered investment adviser, not a software vendor.
Trust Center
Privacy, subprocessors, vendor due diligence, security, and disclosures in one place.
Open Source
Why we publish source, what is open versus private, and how to read the code.
What is PWOS
The operating system these controls are built into, and how each layer makes the one above it trustworthy.
Last updated: July 6, 2026. Protocol Wealth, LLC is an SEC-registered investment adviser (CRD #335298). See our Form ADV for authoritative regulatory disclosures. Registration does not imply a particular level of skill or training; advisory services are provided only under a signed advisory agreement.
This page describes Protocol Wealth's systems and posture and links to where each item can be independently verified. It is general information — not a guarantee against any risk, not a security audit, certification, or endorsement of any third party, and not legal, tax, or investment advice. Third-party sources (the npm registry, GitHub, the USPTO, and any linked server) are outside our control and are provided so you can verify our claims, not as an endorsement of those services. All investing involves risk, including the possible loss of principal.