Skip to main content
Archived compliance snapshot from 2 Jun 2026. This page preserves the organization docs as they existed on that date. For the latest editable materials, see the current docs.
Version: 2 Jun 2026

vendor-oversight

Outsourcing Standards

We do not presently employ any service providers for the maintenance of sensitive investor information. Notwithstanding, we are currently redesigning systems for the protected intake of investor information. Then and other operational needs may require an outside vendor.

In such cases, we shall enter into thorough written arrangements which provide us the ability to monitor operational integrity, especially during provider due diligence. Such firms must notify us of breaches within 72 hours of becoming aware of unauthorized access to maintained systems. We can check this and their detection of data misuse through an analysis of usage logs and a reliance on SOC guarantees which would lead to reports and notices of attacker access.

In onboarding a new vendor, the team shall inquire as to the provider's experience and history of managing sensitive data, including a query as to any major breaches within the last 5 years. Aside from the notice turnaround time, including weekends, the team will negotiate arrangements to ensure ongoing confidence in the security of investor information. The team can also be expected to rely on public statements from the service provider which are monitored for stability.

If a provider is unsatisfactory in its data guarantees, the company shall remove investor information from the provider's platform. The team will promptly search for a suitable replacement, preferably in open-source systems. Service providers will be instructed to create an incident issue directly upon a breach, as long as the team may create one in their place in lieu of an ability to negotiate this direct arrangement.