Overview
Security is a first-class product concern at Adviser IQ. Our customers handle sensitive personal and financial data about UK clients; they operate under FCA, ICO, and Consumer Duty obligations. Our job is to make the security side invisible — always on, never compromised.
This page summarises our current technical and organisational security measures. For contractual commitments, see our DPA.
Data residency
All customer data is stored within the United Kingdom (AWS eu-west-2, London). No customer personal data leaves the UK for storage or processing. Sub-processors with incidental access (AI model providers) operate under UK/EU-adequate DPAs with zero-retention terms.
Encryption
In transit: TLS 1.3 everywhere. HSTS enforced. Minimum TLS 1.2 for legacy clients, with strong cipher-suite policy.
At rest: AES-256 for all customer data in databases, file storage, and backups. Encryption keys managed via AWS KMS with rotation.
Tenant isolation
Adviser IQ is multi-tenant with strict row-level security (RLS) enforced at the database layer. Every query is scoped to the authenticated firm's firm_id. RLS policies are tested on every deployment. Cross-tenant access is not possible through the application layer.
Authentication & identity
Password-based auth with Argon2 hashing, WebAuthn/passkey support, mandatory MFA for admin roles, optional MFA for all users. SSO (SAML, OIDC) available on IQ Firm+ tiers. Session lifetimes, IP allowlists, and device checks configurable per firm.
Audit logging
Every material user action is logged to an immutable audit vault: logins, data access, data export, record changes, role changes, integration connects. Audit log retention: lifetime of the Subscription + 90 days post-termination export window.
Backups & DR
Point-in-time recovery across 30 days. Daily full backups with 30-day rolling retention. Backups encrypted at rest, stored in-region. Disaster recovery runbook tested quarterly. RPO 15 minutes; RTO 4 hours.
Penetration testing & vulnerability management
Annual third-party penetration test by a CREST-accredited UK firm. Continuous vulnerability scanning across infrastructure and dependencies. Responsible disclosure at security@adviseriq.co.uk.
People & processes
All staff DBS-checked, bound by confidentiality terms, annual security training. Background checks on engineering hires with production access. Principle of least privilege enforced.
Incident response
24/7 on-call rota. Incident commander model. Customer notification within 24 hours of a personal-data incident. See Data Breach Response Policy.
Compliance posture
Current: ICO registered, UK GDPR compliant, Cyber Essentials Plus roadmap Q3 2026. Planned: SOC 2 Type II (2026 H2), ISO 27001 (2027). Standard audit artefacts available on request for evaluation — contact security@adviseriq.co.uk.
AI & model security
AI prompts are processed via provider DPAs with zero-retention configurations. No customer data is used to train third-party models. Internal model usage is logged and auditable. See Disclaimers on AI limitations.
Reporting a vulnerability
Email security@adviseriq.co.uk. Acknowledgement within 4 business hours. We work with researchers in good faith; we do not pursue legal action against responsible disclosure.