Skip to main content
Protocol Wealth

Verifiable Proof

Don't take our word for it.

Most of what a firm says about its technology and its controls has to be taken on faith. These claims do not. Each item below is something you can check against an outside source — the public npm registry, a live server, the open-source code, the USPTO, or our own regulatory pages.

"Verify, don't trust" is the organizing idea behind how Protocol Wealth publishes its work. Where a claim can be made checkable, we make it checkable and link to where you can check it. Where something is aspirational or not yet true, we say so on this page rather than imply otherwise.

Nothing here is a performance claim or a projection about investment results. It is a description of the firm's systems and posture, with the source you can inspect for each one.

The open system

The substrate is published and running. You can inspect it or call it yourself.

Open-source packages on npm

Packages published under the @protocolwealthos scope live on the public npm registry (roughly twenty at last count; the registry is the live source of truth as we publish more). Anyone can install and read them.

Search the npm registry

A live public MCP research server

nexus-core research and scoring tools run as a public, read-only Model Context Protocol server over HTTP. Any MCP-compatible client — Claude, GPT, Gemini, or an agent platform — can call it. This is compatibility with an open standard, not an integration, partnership, or endorsement of any third party.

Call nexusmcp.site/mcp

A SHA-256 hash-chained audit log

The open-source audit-log primitive builds an append-only record in which each entry is chained to the previous one with a SHA-256 hash, so tampering is detectable after the fact. The source is public — read the implementation, do not take our word for it.

Read pwos-core on GitHub

How your data is handled

The privacy and custody posture, and where each claim is documented.

Anthropic Zero-Data-Retention

AI inference runs under an Anthropic Zero-Data-Retention agreement in a US region — prompts and outputs are not retained by the provider and are not used to train its models. Anthropic, Google Gemini (brokered advisor graphics), and OpenAI Whisper (advisor voice-memo transcription) are the disclosed AI subprocessors.

See the subprocessor list

Non-custodial by architecture

Protocol Wealth does not take custody of client assets and does not hold client private keys — the client controls their own keys. The Turnkey self-custody model passed a live acceptance test before production use.

Read Custody & Control

Client identifiers kept out of the AI models

The planning and analysis pipeline is built to exclude client identifiers from the AI models by construction, with an independent PII egress check as a backstop. The primitive that enforces it is open source.

Inspect the pii-guard source

The firm posture

Patents, security framework, and records retention — stated plainly, including what is not yet claimed.

Three provisional patents — patent pending

Protocol Wealth has filed three provisional patent applications with the USPTO (PWOS, Nexus, and the planning engine), all defensive. "Patent pending" means applications are on file, not that any patent has been granted.

See the patent disclosure

ISO/IEC 27001:2022-aligned — not certified

The firm maintains an ISO/IEC 27001:2022-aligned Information Security Management System, with a Statement of Applicability and Risk Register. This is an internal control framework and diligence artifact. Protocol Wealth is not ISO 27001 certified.

Read the security posture

SOC 2 readiness path; penetration test planned

Protocol Wealth does not hold a firm-level SOC 2 report today; it relies on vendor SOC 2 reports where appropriate and maintains a readiness path. A formal external penetration test is planned but not yet completed.

See current limitations

Seven-year append-only WORM archive

Audit records are written to a seven-year, append-only WORM (write-once, read-many) archive, designed to support books-and-records retention (SEC Rule 204-2 for the adviser, and the broker-dealer WORM standard under SEC Rule 17a-4 where it applies through our broker-dealer relationship). The design supports the obligation; it is not a claim that the tool itself satisfies any rule.

Read the security posture

In plain terms

What this page is not

  • It is not a performance record, a projection, or any statement about investment results.
  • It is not a certification. The ISMS is ISO/IEC 27001:2022-aligned, not certified, and there is no firm-level SOC 2 report today.
  • It is not a completed audit. The external penetration test is planned but not yet done.
  • "Patent pending" means applications are on file with the USPTO, not that any patent has been granted.
  • Publishing source code and offering a public MCP server describes what we have built; it is not a software product for sale. Protocol Wealth is an SEC-registered investment adviser, not a software vendor.

Last updated: July 6, 2026. Protocol Wealth, LLC is an SEC-registered investment adviser (CRD #335298). See our Form ADV for authoritative regulatory disclosures. Registration does not imply a particular level of skill or training; advisory services are provided only under a signed advisory agreement.

This page describes Protocol Wealth's systems and posture and links to where each item can be independently verified. It is general information — not a guarantee against any risk, not a security audit, certification, or endorsement of any third party, and not legal, tax, or investment advice. Third-party sources (the npm registry, GitHub, the USPTO, and any linked server) are outside our control and are provided so you can verify our claims, not as an endorsement of those services. All investing involves risk, including the possible loss of principal.