Security & Compliance

Founded on Trust & Security

Our entire management team and ownership came from family offices. We endeavor to serve you perfectly, and that starts with top-tier trust — and the promise to never sell your data.

How We Protect Your Data

Database Security

Our database backups and sensitive data are stored in AWS S3 buckets configured with enterprise-grade security: private by default with Block Public Access enforced, least-privilege IAM policies, automatic server-side encryption (SSE-S3), and comprehensive access logging for continuous monitoring and auditability.

Data Transfer Security

All data transfers to and from our AWS S3 buckets are secured in transit using TLS 1.2+ (enforced via bucket policies denying non-secure connections). Sensitive payloads are further protected with hybrid encryption: 2048-bit RSA for key exchange and AES-256-CBC for content, ensuring end-to-end confidentiality before reaching AWS infrastructure.

Session Security

Haven powers the secure desktop browser provided by Abacus, adding an extra layer of protection during sensitive online activity. It verifies trusted destinations and helps prevent phishing or look-alike attacks, reducing the risk of credential theft or account compromise without disrupting the user experience.

Application-Layer Encryption

All personally identifiable information (PII) is encrypted at the application layer using AES-256-GCM before it is written to our database. This means even a database-level breach cannot expose readable client data. Encryption and decryption happen exclusively within our controlled application environment.

Access Controls

Our platform implements role-based access control (RBAC) with three distinct permission levels: client, advisor, and admin. Row-Level Security (RLS) policies at the database layer enforce that each user can only access their own data, regardless of application-layer logic.

Audit Logging

Every authentication event, data modification, and administrative action is recorded in an immutable audit log. Logs include timestamps, user identity, IP address, and action details. This supports SOC-2 compliance and provides a complete chain of custody for every action taken within the platform.

Compliance & Certifications

SOC-2 Controls

Our platform is built from the ground up with SOC-2 requirements in mind: audit trails, password history (last 12), account lockout policies, and no sensitive data in error responses.

GDPR Compliance

All sub-processors operate under strict data processing agreements in accordance with GDPR Article 28. Our Privacy Policy details your rights as an EU data subject, including access, correction, portability, and deletion.

Incident Response

In the event of a security incident affecting client data, we will notify affected users within 72 hours in accordance with GDPR requirements. Security concerns can be reported directly to admin@abacuswt.com.

Our Sub-Processors

We engage the following third-party sub-processors to deliver our services. Each operates under strict data processing agreements in accordance with GDPR Article 28.

ProviderPurposeLocation

Amazon Web Services (AWS)Cloud infrastructure & data hostingUnited States

AttioCustomer relationship managementUnited Kingdom

Atlassian (Jira)Project management & support operationsAustralia

GoDaddyDomain registration & DNS servicesUnited States

Last updated: March 2026. We will notify affected users of any changes to this list in accordance with our data processing agreements.

“True wealth is not merely accumulated; it is thoughtfully preserved and wisely stewarded.”

Contact Our Team Read Our Privacy Policy