Palnu is built to hold the most sensitive data wealth management firms produce: client names, testimonials, referral records, and CCO approval chains. Here's how we protect it.
Every byte of advisor and client data is encrypted in transit and at rest. Tenant boundaries are enforced at the database, storage, and network layers.
TLS 1.3 is enforced on every public endpoint. HSTS is preloaded in all major browsers. Downgrade attacks to TLS 1.2 or HTTP are blocked at the edge.
AES-256-GCM with keys managed in AWS KMS. Per-tenant customer-managed keys (CMKs) available on request for firms that require them.
Logical isolation by default with row-level security at the database layer. Dedicated single-tenant deployments are available for enterprise firms.
Point-in-time recovery to any moment in the prior 35 days. Cross-region replication with automated failover. RPO: 15 minutes. RTO: 4 hours.
Enterprise-grade identity management with the same SSO, SCIM, and MFA standards your firm already uses.
SAML 2.0 and OpenID Connect with out-of-the-box support for Okta, Microsoft Entra ID (Azure AD), Google Workspace, and OneLogin.
Required by default for all users. Supports TOTP authenticator apps, WebAuthn hardware keys (YubiKey), and SMS as a fallback.
Four default roles: Admin, Principal (CCO), Advisor, and Read-Only. Custom roles available on enterprise plans. Every role change is logged.
Automatic user provisioning and de-provisioning via SCIM 2.0. When someone leaves the firm, their Palnu access is revoked in the same workflow.
Every testimonial, approval, and administrative action is recorded in an append-only audit trail designed to be produced in response to an SEC or FINRA examination.
Every state change is written to an append-only store with SHA-256 snapshot hashes. Exportable as CSV or JSON on demand.
SEC 204-2 · FINRA 4511Records are retained for five years from the date they are first created, consistent with SEC Rule 204-2(e)(1). 7-year retention available.
SEC 204-2(e)(1)Every testimonial requires approval by a designated principal before publication. The reviewer's identity, timestamp, and decision are permanently recorded.
FINRA 2210(b)(1)Automated disclosure generation covering compensation status, conflicts of interest, and client/non-client classification. Templates are editable; required elements cannot be removed.
SEC 206(4)-1(b)How we prevent, detect, respond to, and recover from security incidents.
| Control | Detail |
|---|---|
| Infrastructure | AWS (us-east-1 primary, us-west-2 failover). All compute runs in private subnets behind a WAF and DDoS mitigation layer. |
| Monitoring | 24/7 alerting on anomalous access patterns, failed auth attempts, and log tampering signals. Median alert-to-ack time: 8 minutes. |
| Incident response | Documented IR plan reviewed quarterly. Customer notification within 72 hours of confirmed incident affecting their data. |
| Penetration testing | Annual third-party test by an independent firm. Summary report available to customers under NDA. |
| Vulnerability management | Automated dependency scanning on every build. Critical CVEs patched within 24 hours; high within 72. |
| Business continuity | RTO: 4 hours. RPO: 15 minutes. Tested quarterly with a full failover drill. Results documented. |
| Data residency | US-only hosting by default. EU and APAC residency available on enterprise plans. |
These are the third-party services that process customer data on Palnu's behalf. We notify customers 30 days before adding a new subprocessor.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure, compute, storage, database | US (us-east-1, us-west-2) |
| Cloudflare | CDN, WAF, DDoS mitigation | Global edge, US origin |
| SendGrid (Twilio) | Transactional email delivery | US |
| Stripe | Payment processing, billing | US |
| Datadog | Infrastructure monitoring, alerting | US |
Request our security brief, a completed vendor DDQ, or a live walkthrough of the audit log design with your compliance team. Full SOC 2 Type II report available under NDA.
Request security documentation