RIAFMSBack to Home

Privacy Policy

Last Updated: February 8, 2026

1. Introduction

RIAFMS ("we," "us," or "our") operates the RIA Firm Management System, a multi-tenant SaaS platform designed for SEC-registered investment advisors. This Privacy Policy describes how we collect, use, store, and protect your personal information and the personal information of your clients when you use our platform.

We understand the sensitivity of financial data and personally identifiable information (PII) handled by registered investment advisors. Protecting this data is our highest priority.

2. Information We Collect

2.1 Account Information

When your firm registers for RIAFMS, we collect:

  • Full name and email address of authorized users
  • Firm name, CRD number, and business contact details
  • Role and permission assignments within the platform

2.2 Financial and Client Data

In the course of using the platform, your firm may upload or enter:

  • Commission statements and compensation data
  • Client account numbers and names (encrypted at rest)
  • Compliance documents, attestation records, and regulatory filings
  • Marketing materials submitted for review

2.3 Usage and Technical Data

  • Login timestamps, session activity, and audit trail records
  • Browser type, IP address, and device information
  • Application performance and error logs (PII-sanitized)

3. How We Use Your Information

We use collected information to:

  • Provide and operate the RIAFMS platform and its modules
  • Process commission data and generate compensation reports
  • Manage compliance workflows, document storage, and attestation campaigns
  • Send system notifications, alerts, and account-related communications
  • Maintain audit trails for SEC exam readiness and regulatory compliance
  • Monitor platform performance, security, and reliability
  • Respond to support requests and inquiries

4. Data Protection and Security

We implement comprehensive security measures to protect your data:

  • Encryption at rest: Sensitive PII fields (account numbers, account names) are encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before database storage
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted via TLS
  • Password security: Passwords are hashed using bcrypt with automatic salting and are never stored in plaintext
  • Access controls: Role-based permissions with 18 granular permission flags per user, enforced at every access point
  • Session management: Automatic session timeout after 30 minutes of inactivity
  • Account protection: Account lockout after 5 failed login attempts for 15 minutes
  • Document integrity: SHA-256 hashing for all uploaded documents to detect tampering
  • XSRF protection: Cross-site request forgery protection enabled on all forms
  • Audit logging: All significant actions are logged with timestamps and user attribution

For complete details on our security controls, please refer to our internal Security Policy documentation.

5. Multi-Tenant Data Isolation

RIAFMS is a multi-tenant platform. Each firm's data is logically isolated through firm-level scoping on all database queries. Users from one firm cannot access, view, or modify data belonging to another firm. Platform administrators (super admins) can access firm data only through designated administrative interfaces.

6. Data Retention

Documents uploaded to the Document Vault are subject to configurable retention policies (2, 4, 5, or 7 years, permanent, or custom). Documents with expired retention periods are auto-archived unless placed on legal hold. Commission data, compliance records, and audit logs are retained for the duration of your firm's subscription and in accordance with SEC recordkeeping requirements.

Upon termination of your firm's account, we will retain data for the minimum period required by applicable regulations, after which it will be securely deleted.

7. Third-Party Services

We use the following third-party services in the operation of RIAFMS:

  • Resend: For transactional email delivery (welcome emails, notifications, password resets)
  • OpenAI: For the AI Document Assistant feature (document analysis with PII redaction)
  • PostgreSQL: Database hosting

We do not sell, rent, or trade your personal information or your clients' data to third parties for marketing purposes.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data (subject to regulatory retention requirements)
  • Export your data in a portable format
  • Object to or restrict certain processing activities

To exercise any of these rights, please contact us using the information provided below.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or in-app notification. The "Last Updated" date at the top of this page indicates when the policy was last revised.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us through the contact form on our homepage or reach out to your firm's designated RIAFMS administrator.