Legal
Security Policy & Responsible Disclosure
How we protect data, your responsibilities, and how to report a security issue.
1. Our security program
We protect the Services and account data using a per-record, deny-by-default authorization model enforced by B5 Secure on the FISCP platform: every request is authorized against the specific record it seeks to access and refused unless explicitly permitted. This is designed to close broken object-level authorization, a leading cause of data breaches.
2. Data protection
Sensitive data is tokenized and revealed only to a request that has earned a specific, per-record grant; communications are encrypted in transit; and access decisions are written to a tamper-evident, per-record audit trail. Requests are cryptographically signed (RFC 9421) with a post-quantum path.
3. Your responsibilities
Protect your credentials, use current software, enable available security features, and notify us promptly of suspected unauthorized access at security@investorservices.com. We will never ask for your password by email or phone.
4. Incident response
We maintain procedures to detect, investigate, and respond to security incidents and will notify affected persons and regulators as required by applicable law.
5. Responsible disclosure program
We welcome good-faith security research. In scope: the Services and our public web properties. Out of scope: denial-of-service, social engineering, physical attacks, spam, automated scanning that degrades service, and testing that accesses, modifies, or destroys other users’ data. Rules: act in good faith, only against your own test data, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure.
6. Safe harbor
If you follow this program in good faith, we will not pursue or support legal action against you for your research and will treat it as authorized under applicable computer-fraud laws to the extent we are able. This is not a waiver of third parties’ rights. A bug-bounty reward program is not currently offered.
7. How to report
Email security@investorservices.com with a description, steps to reproduce, and impact; where available, encrypt sensitive reports using our published PGP key. We will acknowledge receipt and work with you on remediation.
8. Changes
We may update this policy with a new effective date.
Educational only. This page is general information, not individualized investment, legal, or tax advice. Rules depend on your account type, transaction, tax year, and circumstances — consult a qualified professional.