Overview
Transparent risk disclosure matters. This page summarises the principal risks relevant to customers, the controls Adviser IQ has in place, and the residual risk your firm should be aware of. It is maintained by our Risk & Compliance Committee and reviewed quarterly.
Data breach
Risk: unauthorised access to customer data.
Controls: encryption at rest and in transit, RLS-enforced tenancy isolation, MFA, audit logging, annual pen-testing, incident response plan.
Residual risk: low. See Data Breach Response.
AI output error
Risk: AI-drafted content contains errors or omissions that reach a client.
Controls: every AI output requires explicit adviser approval before client-facing use; AI marked as draft; learning loop captures corrections; disclaimers prominent.
Residual risk: requires discipline from your advisers. See Disclaimers.
Sub-processor failure
Risk: failure of a third-party provider (hosting, AI, email, payments) disrupts service.
Controls: diligence before onboarding, SLA terms, monitoring, contingency vendor identified for each critical role.
Residual risk: medium for non-critical integrations; low for critical path. See Sub-Processors.
Regulatory change
Risk: FCA or ICO rule change requires product adaptation your firm needs immediately.
Controls: quarterly horizon scanning, 90-day implementation target for material changes, customer communication 30 days in advance.
Residual risk: medium — unpredictable regulator timing. Your firm retains accountability.
Supplier insolvency
Risk: Adviser IQ commercial failure affects service continuity.
Controls: well-capitalised; data export available at any time in machine-readable format; escrow arrangement under consideration for IQ Principal tier.
Residual risk: low commercial risk; mitigation: data export on demand.
Data loss
Risk: customer data lost due to corruption or operator error.
Controls: 30-day PITR, daily backups, backup integrity tests, no destructive destructive operations without two-person approval.
Residual risk: very low.
Platform misuse by your firm's users
Risk: a user within your firm misuses the Platform (unauthorised access, data exfiltration).
Controls: RBAC, audit logs, export tracking, alerting on anomalous patterns.
Residual risk: partially your firm's responsibility — principal oversight and Acceptable Use Policy enforcement.
IP disputes (third-party content)
Risk: third-party claims against Platform or content.
Controls: IP indemnity in Terms; careful use of third-party data and trademarks.
Residual risk: low.
Force majeure
Natural disasters, infrastructure-provider regional failure, cyber-warfare events. Mitigated by DR and geographically-diverse backup retention. Excluded from SLA as standard.
Review cycle
Reviewed quarterly by the Risk & Compliance Committee. Next review: July 2026.