Trust, security & data handling

1. Compliance posture at a glance

• SOC 2 Type I — attestation in progress with an AICPA-affiliated auditor; report targeted by end of Q3 2026.
• SOC 2 Type II — observation window opens Q4 2026; report targeted by Q2 2027. Trust Services Criteria in scope: Security, Availability, and Confidentiality.
• GLBA Safeguards Rule — we maintain a written information security program covering administrative, technical, and physical safeguards consistent with 16 CFR Part 314.
• FERPA-friendly handling — when partnered with a higher-ed institution, we operate as a school official with a legitimate educational interest under 34 CFR §99.31(a)(1) and process student records only as directed by the institution.
• GDPR & CCPA / CPRA — we process personal data as a processor on behalf of institutional partners and honor data subject access, correction, and deletion requests via automated DSAR tooling.
• NIST CSF 2.0 — our security program is mapped to the NIST Cybersecurity Framework functions (Govern, Identify, Protect, Detect, Respond, Recover).

2. What we are — and aren't

• Not a Registered Investment Adviser (RIA). Boss Finances provides financial education and coaching, not personalized investment advice.
• Not a broker-dealer, lender, money transmitter, or insurance producer.We do not custody funds, originate credit, or move money on a member's behalf.
• Not a HIPAA covered entity or business associate by default. We do not process Protected Health Information; if your use case requires a BAA we'll scope it before contracting.
• Not a credit reporting agency (CRA) under the FCRA. We surface credit data through a licensed bureau aggregator; we do not assemble or evaluate consumer reports for third parties.

3. Data we collect on behalf of institutions

We follow data minimization. The categories below are the maximum we may collect — most members have only a subset.

• Identity: name, work or institutional email, institutional identifier (e.g., student ID hash), role.
• Profile (member-provided): goals, income band, debt band, credit score band, homeowner status, household size, age band, ZIP. Always optional.
• Financial data (member-linked, optional): account balances, transactions, and credit data via Plaid (read-only) and a licensed bureau aggregator. Members initiate every link and can revoke at any time.
• Product telemetry: page views, feature usage, AI message counts — used to operate, secure, and improve the service.
• Support communications: messages members send to us and our responses.

What we never collect: Social Security numbers, full bank or routing numbers, biometric identifiers, payment card numbers (Stripe handles all card data — Boss Finances is PCI DSS SAQ-A scope only), or data purchased from data brokers.

4. Institutional admin access — outcomes only

Institutional admins see aggregate, opt-in outcome reporting only: enrollment, monthly active users, pillar engagement, and de-identified credit-lift and savings-behavior cohorts. Admins never see an individual's balances, transactions, credit report, AI conversations, or any data tied to a named person. Cohort metrics are suppressed when the underlying group is smaller than 10 members (k-anonymity threshold) to prevent re-identification.

5. Encryption & infrastructure

• In transit: TLS 1.2 or higher on all member and admin endpoints; HSTS enforced; modern cipher suites only.
• At rest: AES-256 on managed cloud infrastructure (US regions) for the application database, object storage, and backups.
• Key management: envelope encryption with cloud-managed KMS; customer-managed keys (CMK) available on enterprise contracts.
• Secrets: stored in an encrypted secrets manager with strict access controls and full audit logging.
• Data residency: primary processing in US-East and US-West regions. EU residency available for EU-based institutions on enterprise contracts.

6. Access controls & personnel

• Least-privilege access; production access is role-based and time-bound.
• Phishing-resistant MFA required for all employees and contractors.
• SSO with centralized provisioning and immediate offboarding revocation.
• Background checks on all personnel with potential access to member data, where permitted by law.
• Annual security & privacy training; signed confidentiality obligations.
• All production access is logged, monitored, and reviewed quarterly.

7. AI: how member conversations are handled

• Zero data retention with model providers. We have ZDR contracts in place with our AI providers — member prompts and responses are not used to train any third-party model.
• Member-scoped only. AI conversations are tied to the individual member; nothing is shared with the institution or other members.
• Compliance rails. A keyword-based classifier flags conversations that touch securities recommendations, guarantees, tax/legal advice, or crisis language for human review.
• Not personalized advice. The assistant explicitly identifies as an AI coach, not a licensed financial advisor, on relevant topics.

8. Subprocessors

We use the following subprocessors to deliver Boss Finances. We notify institutional customers of material changes at least 30 days in advance, and customers may object via the process in our DPA.

9. Independent testing & monitoring

• Annual third-party penetration test by an independent security firm. Letter of attestation available under NDA.
• Continuous vulnerability scanning across application code, dependencies, container images, and cloud configuration.
• 24/7 alerting on production anomalies, with on-call rotation and documented runbooks.
• Annual disaster recovery test with documented RPO ≤ 1 hour and RTO ≤ 4 hours for the application tier.

10. Incident response & breach notification

We maintain a documented incident response plan aligned to NIST SP 800-61. In the event of a confirmed security incident affecting institutional data, we will notify the institution's designated security contact without undue delay and within 72 hours of confirmation, with information sufficient to meet GLBA, GDPR Art. 33, and applicable state breach notification obligations.

11. Data retention & deletion

• Active accounts: data retained while the member account is active and the institutional contract is in effect.
• Member-initiated deletion: honored within 30 days; backups expire on a 35-day rolling window.
• Contract termination: 30-day export window for the institution, followed by deletion of institution-tied data per the DPA. Members may keep an individual account independent of the institution if eligible.
• Legal holds: data subject to legal hold or required by law (e.g., financial records under applicable retention statutes) is retained for the minimum period required.

12. Contracts available

• MSA — Boss Finances standard or your paper (enterprise tier).
• Data Processing Addendum (DPA) — incorporates SCCs and UK Addendum for international transfers.
• FERPA School Official addendum for higher-ed institutions.
• BAA on request when scoped to a specific HIPAA use case.
• Mutual NDA for sharing the SOC 2 report and pen test letter.

13. Documents available under NDA

• SOC 2 Type I report (when issued) and bridge letter
• Most recent third-party penetration test letter
• SIG Lite and CAIQ v4 questionnaires (pre-completed)
• Information security program summary
• Business continuity & disaster recovery plan summary
• Insurance certificates (cyber, E&O, general liability)

14. Contact

Trust & procurement: trust@bossfinances.ai
Security disclosures: security@bossfinances.ai
Privacy / DPO: privacy@bossfinances.ai
Mail: Boss Finances Inc., Attn: Trust, 777 Brickell Avenue, Suite 500, Miami, FL 33131, USA

See also our public Security overview, Privacy policy, and Terms of service.