Skip to main content
Protocol Wealth

Security

Privacy, security, and compliance posture.

Protocol Wealth is an SEC-registered investment adviser. This page summarizes how we protect client information, supervise AI-assisted workflows, manage vendors, and preserve required records.

Last reviewed and approved June 11, 2026 by Nick Rygiel, Managing Partner / CTO / CISO and Adam Blumberg, Chief Compliance Officer.

Book a discovery call Download posture PDF (2026-06-11)

This is a public summary, not an exhaustive control report, SOC 2 report, ISO certificate, penetration-test report, client agreement, or replacement for our Form ADV, Privacy Notice, Terms of Service, or other required disclosures. We state material limitations plainly because public security communications should be fair, balanced, and verifiable.

Core commitments

What clients and reviewers should know first

Client data is not sold or used to train AI models.

Vendor relationships are limited to providing services to the firm and are governed through our Privacy Policy, Subprocessors Inventory, and vendor due-diligence process.

Human advisers remain accountable.

AI assists with research, monitoring, summarization, and drafting. It does not make final investment decisions or send client-facing advice without human adviser review.

Access is restricted, logged, and reviewable.

Client data access is role-restricted, protected by MFA, isolated by database row-level security, and preserved in audit records under the firm's books-and-records program.

Required records are retained.

State-changing activity writes to an audit log and mirrors to a 7-year retention-locked archive for regulated recordkeeping and forensic review.

Privacy and AI controls

AI is supervised and data-minimized.

Our primary reasoning-model provider is Anthropic's Claude API under a formally approved Zero Data Retention configuration. Under that arrangement, API inputs and outputs are not retained for training or model improvement, and our primary inference path is restricted to US-based infrastructure.

We also use narrow AI capabilities for adviser-facing image/graphics generation and adviser-initiated voice-memo transcription. These are disclosed in our Subprocessors Inventory and are not used as general client-advice engines.

Client-data fields are classified at ingestion as high, medium, or low sensitivity. High-risk fields such as government identifiers, full account numbers, private keys, seed phrases, biometric data, and authentication artifacts are structurally excluded from LLM-bound payloads absent narrow authorization. An independent egress canary can block outbound requests when residual sensitive patterns are detected.

Controls

Current security controls

Data protection

  • TLS 1.2 or better for external traffic, with TLS 1.3 preferred.
  • Cloud SQL and Cloud Storage encrypted at rest with AES-256.
  • Application-layer AES-256-GCM protection for sensitive vendor credentials.
  • Private-network production Cloud SQL and Redis services.

Identity and isolation

  • MFA required for client and adviser surfaces.
  • Passkey-first authentication on newer client onboarding flows.
  • Database-enforced row-level security for tenant isolation.
  • Workload identity for non-human access; long-lived service-account keys disabled.

Monitoring and response

  • Cloud-configuration-change alerts for high-risk GCP changes.
  • Google Security Command Center findings reviewed through governance workflows.
  • Dependency scanning, code scanning, and PII-egress alerts.
  • Written incident response plan and post-incident review process.

Records and vendors

  • Canonical audit log for state-changing actions.
  • Seven-year WORM archive for audit records.
  • Subprocessor review before onboarding and on material change.
  • Vendor diligence evidence available under NDA where redistribution terms permit.

Digital assets

Self-custody is designed to preserve client control.

For clients who hold crypto, Protocol Wealth has built a self-custodial wallet model where the client is intended to remain the signing authority and Protocol Wealth cannot unilaterally move client crypto.

The model uses client-held passkeys and a fail-closed provisioning check that prevents activation if Protocol Wealth is in the signing quorum. The production custody path has passed live acceptance testing, including a real wallet provisioning and passkey ceremony. Broader client rollout remains controlled and subject to per-client adviser, compliance, and operational gates.

Compliance framework

Regulated adviser obligations come first.

Protocol Wealth's security program is designed around its obligations as an SEC-registered investment adviser, including Regulation S-P safeguards and breach-notification readiness, Rule 204-2 books and records, fiduciary supervision, and Marketing Rule review for public communications.

The firm maintains an ISO/IEC 27001:2022-aligned Information Security Management System with a Statement of Applicability and Risk Register. This is an internal control framework and diligence artifact. Protocol Wealth is not ISO 27001 certified.

Protocol Wealth does not currently hold a firm-level SOC 2 report. We rely on vendor SOC 2 reports where appropriate and maintain a readiness path in case a future customer, partner, or commercial need justifies a firm-held SOC 2 engagement.

Where FINRA standards are relevant through broker-dealer partners or public-communications discipline, we draft communications to be fair, balanced, and not misleading. Protocol Wealth does not present this page as a FINRA member communication unless separately approved through the appropriate channel.

Current limitations

What is not being claimed.

  • Customer-managed encryption keys and column-level field encryption are approved hardening items but are not yet in production.
  • A formal external penetration test is planned but not yet completed.
  • Periodic access-review cadence and just-in-time custom roles are being matured.
  • The independent PII egress canary is being extended across remaining API egress paths.
  • ISO 27001 certification and firm-level SOC 2 are not current claims.

Verify

Diligence materials available under NDA.

Qualified partners and institutional reviewers may request supporting diligence materials, including vendor due-diligence evidence, anonymized audit-log samples, the ISO-aligned Statement of Applicability, the Risk Register, and security-policy artifacts.

Privacy and compliance [email protected]
Security reports [email protected]
Form ADV Part 2A adviserinfo.sec.gov/firm/brochure/335298

Attestation

Reviewed and approved.

This public security posture was reviewed and approved on June 11, 2026 by Nick Rygiel, Managing Partner / CTO / CISO and Adam Blumberg, Chief Compliance Officer. The linked PDF is the current public posture artifact for website use.

Download the approved public posture PDF

Last updated: June 11, 2026. Protocol Wealth LLC is an SEC-registered investment adviser (CRD #335298). Full regulatory disclosures are available through our Form ADV.

Registration with the SEC does not imply a certain level of skill or training. This page is provided for informational purposes and does not create additional contractual obligations beyond those set out in our advisory agreements, Privacy Policy, and Terms of Service.

Legally required notifications, including breach notifications under Regulation S-P, follow the deadlines set by applicable law and regulation. Internal response targets do not override those requirements.