Client Data Security

·

Enforced

Your data stays yours. We keep only what you save, and we never sell, share, or train models on it.

Tenant-isolated queries · TLS 1.2+ in transit · AES-256 at rest · HMAC-signed session cookies · scoped OAuth tokens you can revoke · least-privilege access · immutable audit trail · point-in-time restore on Neon · Anthropic zero-training on all AI calls (zero-retention upgrade requested). Aligned with SOC 2 control families and NIST 800-53 guidance. One-click purge under Settings → Danger Zone.

Compliance

How we protect your financial data

NOESIS CFO is a B2B FinTech SaaS built for operators and fractional CFOs. This page is a candid summary of what is live today, what is available on request, and what is still on the roadmap. If you are filling out a vendor questionnaire, emailsupport@noesiscfo-io.usand we will turn it around fast.

Last reviewed 2026-05-17 (added Private Markets / fund-administration posture, data residency, fund-admin audit logging, AML/KYC, and Vanta SOC 2 engagement). Companion pages: Privacy · Terms · Data Handling · Disclosures

Tenant isolation

Live

Every Organization-scoped query runs through resolveOrgForSession / resolveOrgScope. Cross-tenant bypasses (including founder-admin escapes) are automatically blocked by the noesis-review audit script on every commit.

AGENTS.md, lib/security/org-scope.ts

Encryption in transit & at rest

Live

All user traffic is TLS 1.2+ (HSTS preload in production). Primary datastore is Neon managed Postgres with storage-level AES-256 encryption. Secrets are stored in Vercel encrypted environment variables, never in the repo.

next.config.ts security headers, Neon platform

No-retention posture + self-serve purge

Live

Customer financial data is only kept while actively in use. Any signed-in user can purge all workspace content immediately from Settings > Profile. The purge runs in a single atomic transaction with password step-up, typed email confirmation, and a confirmation email to the account on file. Operational backups are purged within 30 days.

/api/user/purge-data, /legal/data-handling

Stripe SAQ A scope

Live

NOESIS never touches raw card data. Checkout runs inside Stripe Checkout or Stripe Elements (iframes). We store only the Stripe customer/subscription IDs and webhook event log, which keeps us inside the PCI DSS SAQ A scope.

server/billing/*, Stripe Checkout

AI provider terms - zero-training

Live

Primary inference is Anthropic Claude on the API (zero-training and 30-day retention by default). When Anthropic is unavailable we fail over to the Vercel AI Gateway, which also forwards to non-training providers. We do not use any consumer ChatGPT or public LLM surface.

lib/ai/anthropic-client.ts

CSRF + rate limiting + CSP

Live

All state-changing routes require same-origin POSTs with JSON bodies. Destructive endpoints (purge, admin writes) have their own Upstash-backed rate limits. Every response carries a strict Content-Security-Policy, X-Frame-Options: DENY, Permissions-Policy, and Referrer-Policy header.

lib/security, next.config.ts

Audit trail

Live

Security-relevant events (login, password change, purge attempts, live-agent escalations, step-up failures) are written to a SecurityEvent table with IP, user-agent, and event metadata. Audit rows are retained even when customer data is purged.

prisma schema: SecurityEvent

Data Processing Addendum (DPA)

Live

A GDPR-/CCPA-compatible Data Processing Addendum is self-serve at /legal/dpa. One checkbox plus four fields counter-signs the active version, records an immutable signature row with the full sub-processor list and SCCs Module 2, and emails the signer a receipt. Required before first upload or integration connection.

/legal/dpa

AI Use Policy (EU AI Act / AB 2013 / CO SB 24-205)

Live

Standalone AI Use Policy at /legal/ai-use discloses the Anthropic Claude 4.7 model family (zero-retention, no training on customer data), what data reaches the model, enforced server-side guardrails (no figure invention, no legal/tax/fiduciary advice, injection defense, authority-cited tax commentary only), AI output labeling, and a per-workspace opt-out. Clickwrap-acknowledged at sign-up and on updates via the reacceptance gate.

/legal/ai-use

SOC 2 Type II

Available on request

SOC 2 monitoring engagement is active with Vanta (executed May 2026). Controls inventory and continuous evidence collection are underway through Vanta; the Type II observation window is in progress. A completed Type II report is not yet available and is not claimed. Controls narrative, sub-processor inventory, and gap assessment are available under NDA.

Vanta monitoring engagement - contact support@noesiscfo-io.us

Private Markets / fund-administration posture

Live

The Private Markets suite (PE fund administration, GP/LP analytics, investor reporting, K-1/K-2/K-3 generation, waterfall and carry calculations) is delivered on the same security baseline as the rest of the Platform: tenant-isolated queries, TLS 1.2+, AES-256 at rest, append-only audit trail, Anthropic zero-retention on AI calls, and self-serve purge. Fund-administration outputs are analytical aids, not registered-fund-administrator deliverables. Athena Core Technologies, Inc. is not an SEC-registered investment adviser, not a broker-dealer, not a registered fund administrator, and does not take custody of fund assets or investor capital. See /legal/disclosures Section 21 for the full Private Markets disclaimers.

/legal/disclosures section 21

Data residency for institutional customers

Available on request

Primary data residency is United States (Neon Postgres in AWS us-east, Vercel US edge). Where institutional or non-US LP personal data is in scope of GDPR, UK GDPR, the Swiss FADP, or the Cayman Islands DPA 2017, transfers are governed by the SCCs / UK IDTA / FDPIC alignment / Cayman Schedule 4 set out in the DPA at /legal/dpa. Institutional customers requiring EU or UK residency at the application layer should contact us for a separately negotiated MSA.

/legal/dpa, /legal/privacy section 2.2

Fund-admin audit logging

Live

Privileged actions in the Private Markets suite (waterfall recompute, capital-account adjustment, K-1 generation, distribution-notice issuance, capital-call issuance) are written to the SecurityEvent audit table with actor, organization, timestamp, and event metadata. Audit rows are retained even when fund content is purged from the workspace.

prisma schema: SecurityEvent

AML / KYC posture

Live

Athena Core Technologies, Inc. is not a financial institution under the Bank Secrecy Act and does not perform investor AML, KYC, or sanctions screening. Where a Customer uses the Platform to organize investor onboarding records, the Customer remains solely responsible for fulfilling its own AML, KYC, and OFAC sanctions-screening obligations. The Platform does not screen against OFAC, EU, UK, or UN sanctions lists and is not represented as doing so.

/legal/disclosures section 21

Responding to security questionnaires

Send your SIG / CAIQ / custom questionnaire tosupport@noesiscfo-io.us. We usually turn items around within 3 business days. For urgent procurement timelines, note it in the subject and we will prioritize.

Report a vulnerability

If you believe you have found a security issue in NOESIS CFO, emailsupport@noesiscfo-io.us. We will acknowledge within 1 business day. Please do not share exploit details on public channels until we have had a chance to remediate.