Security posture

Encryption in transit & at rest

All API traffic uses TLS 1.3 with ECDHE key exchange. Data at rest is encrypted with AES-256 per tenant. Signing keys for webhooks use a separate key hierarchy, rotated on 90-day schedules.

API key management

API keys are issued per environment (sandbox / production). Keys are non-recoverable after initial display — treated as one-time secrets. Revocation takes effect within 60 seconds across all edge nodes.

Data isolation & retention

Each platform tenant's portfolio data is stored in isolated schema partitions. Portfolio holdings and rebalance history are retained for 7 years per financial record-keeping requirements. Deletion requests are honoured within 72 hours for identifiable personal data.

EU data residency

All portfolio and trade data is processed and stored in EU-based data centres (Frankfurt primary, Amsterdam secondary). No portfolio data is transferred outside the EEA. Applicable to GDPR Article 44 requirements.

SOC 2 Type II readiness

Portfolwright is pursuing SOC 2 Type II readiness. Our infrastructure, access controls, and audit logging are designed to meet the security, availability, and confidentiality trust service criteria. We are not yet SOC 2 certified. Enterprise customers can request our current security posture documentation during due diligence.