Pillar 1 — Protect

Compliance Automation.

Compliance is not a feature at TECH — it is the foundation. Every message sent, every match generated, every AI artefact produced, every consent granted or revoked is captured in an immutable audit trail engineered for FINRA, SEC, CCPA/CPRA, GLBA, BSA/AML, and DORA requirements from day one. This document maps what the platform does for each regulation, what it retains, and how you export it when the examiner calls.

TL;DR

Not a compliance add-on. TECH was designed by a team that has run platforms inside regulated financial institutions. Every architectural decision — data model, message archive, AI boundary, consent versioning, retention window — starts from a specific regulator's expectation and works backwards. The list below is the receipts.

FINRA Rule 4511 — Communications archival

FINRA Rule 4511 requires member firms to preserve business-related communications in write-once, read-many (WORM) storage for at least six years, with the first two years readily accessible. TECH's messaging layer is built to this standard natively.

Every message exchanged between members — whether human-authored, human-edited-from-AI-draft, or AI-assisted — is archived with:

Sender identity — user id, org id, role at time of send.
Recipient identity — same attributes for the other side.
Timestamp — UTC, to the second.
Content hash — SHA-256 of the body, so post-hoc modification is cryptographically detectable.
AI metadata — if AI contributed, the model name, version, and a hash of the generating prompt.
Channel context — the match, deal, or connection the message belongs to.

The archive storage backend is append-only. Messages cannot be edited or deleted by any user-facing action; a CCPA-initiated erasure replaces the body with a tombstone while preserving the audit envelope, which is the FINRA-compliant way to reconcile the two regimes.

Retention

6 years default; 7 for Enterprise plans

Accessibility

First 2 years readily accessible; years 3-6 warm-retrieval within 48h

Export format

WORM-compliant zip with manifest — SEC 17a-4(f) compatible

Deduplication

Content-addressable — identical messages keep one copy with multiple refs

SEC Marketing Rule 206(4)-1 — AI labelling

The 2021 amendment to SEC Rule 206(4)-1 ("the Marketing Rule") applies to registered investment advisers and imposes a general prohibition on untrue statements, misleading omissions, and unsubstantiated claims — including in AI-generated content. TECH's AI surfaces are built to stay on the right side of that line by default.

Every AI-generated artefact in TECH carries four guardrails:

1Visible AI label

PRISM match rationales, Fit Analyses, ROI Projections, Playbooks, outreach drafts, and every Intelligence report display a prominent "AI-generated" badge at the top of the UI and carry an is_ai_generated: true flag in the API response.

2Hedged language

The system prompts we use with Claude explicitly instruct the model to frame projections and scoring with confidence language ("likely", "based on available data") rather than definitive claims. Outputs are continuously evaluated against a set of over-claim triggers.

3No autosend

AI-drafted outreach messages cannot be sent automatically. Sending always requires a human click, hard-coded at the API layer — no API surface exists to bypass it. This is not a UI affordance; it is an architectural constraint.

4Model provenance

Every AI artefact stores the model name, model version, and prompt template version used to generate it. When an examiner asks "what generated this claim on this date," the answer is reproducible.

CCPA / CPRA — Consumer privacy

Members on TECH are businesses, but individuals within those businesses (users) have rights under CCPA/CPRA in California and under equivalent regimes across jurisdictions. TECH honours those rights through self-serve endpoints.

What we collect

Identity — name, email, title, phone (optional).
Profile — bio, LinkedIn URL (optional), avatar (optional).
Engagement — login events, pages visited, actions taken, messages sent.
Consents — category, version, timestamp, IP, user-agent.
Device — browser fingerprint for anomaly detection.

What users can do

Right to know — Settings → Privacy → Export my data produces a zip of everything above.
Right to delete — Settings → Privacy → Delete account removes personal data and revokes consents. FINRA-mandated retention is honoured via tombstoning.
Right to correct — profile editing lets users correct any attribute immediately.
Right to opt out of sale — TECH does not sell personal data. Full stop.
Right to limit use — optional consents (marketing communications) can be revoked independently.

Six consent categories — unbundled

GDPR Article 7 and CCPA both require consent to be specific and unbundled. TECH collects six independent consents:

Mandatory for platform use

Mandatory. Data handling practices

Data Processing

Mandatory. GDPR lawful basis

AI Matching

Mandatory to use PRISM. EU AI Act limited-risk

FINRA Archival

Mandatory. Acknowledges immutable messaging

Communications

Optional. Product updates + weekly digest

GLBA — Financial data handling

The Gramm-Leach-Bliley Act's Safeguards Rule and Privacy Rule govern how financial institutions handle non-public personal information. TECH's posture is deliberately conservative: we do not store consumer-level financial data. No consumer account numbers, balances, transactions, credit scores, or SSNs ever transit our systems.

What we do handle are org-level financial signals — funding amounts, revenue bands, deal sizes, partnership-specific ROI inputs. For these:

Encryption at rest — AES-256 across all stores (Postgres, Redis, S3).
Encryption in transit — TLS 1.3 only, no downgrade.
Access control — role-based with audit logging on every read.
Rate limits — bulk export endpoints throttled and alerted.
Breach response — documented playbook with 72-hour notification target.

BSA / AML — Institutional screening

Every member organization passes through SHIELD's KYB pipeline — Persona-powered entity verification, beneficial ownership discovery, sanctions screening (OFAC, EU consolidated list, UN Security Council, HM Treasury, 40+ national lists), PEP checks, and adverse media — before gaining full platform access. See KYB Verification for the full flow.

After onboarding, monitoring is continuous: nightly sanctions refresh, weekly adverse media scan, and automatic transition-to-alert on any hit. A critical hit (active sanctions match) immediately freezes the org's Trust Score and quarantines their matches pending review.

DORA — EU operational resilience

The EU Digital Operational Resilience Act entered force in January 2025 with a transitional period that ended in early 2026. Any EU-regulated financial entity using TECH — or any US fintech partnering with an EU bank — now operates under DORA's ICT risk framework.

TECH's DORA posture consists of:

ICT risk register — documented for Anthropic (AI), Persona (KYB), AWS (hosting), Stripe (billing).
Third-party dependency register — with concentration risk analysis and documented exit strategies for each critical vendor.
Incident reporting — 72-hour SLA aligned to DORA Article 19, with escalation templates pre-built.
TLPT participation — threat-led penetration testing coordinated annually.
Exit packs — every customer can request data + metadata export in DORA-compliant format within 5 business days.

EU AI Act

TECH's AI surfaces (PRISM matching, Intelligence Analyzer) are classified as limited-risk under the EU AI Act because they support but do not replace human partnership decisions. The Act's transparency obligations (labelling, traceability) are already covered by our Marketing Rule posture above. High-risk classification only applies if TECH were to automate creditworthiness decisions or employment screening — we do not.

The compliance export

Everything described above rolls up into a single exportable record. An authorised admin clicks Compliance export in SHIELD and a signed zip is produced containing:

Messages archive (WORM format, SEC 17a-4(f)).
Match history with AI provenance per match.
Consent log (category, version, event type, timestamp, IP, user-agent).
AI artefact ledger — every report, rationale, draft with model metadata.
KYB status history with check-by-check outcomes.
Access log (successful and failed logins, session fingerprints).
Admin action log (role changes, settings modifications, data exports).
Manifest with SHA-256 of every file + a signature from TECH's compliance key.

The export is generated asynchronously — large orgs see it in minutes; the largest in up to an hour. Delivery is by signed URL with a 72-hour expiry. Every export is itself logged, so there's an audit of the audit.

Compliance FAQ

Is TECH FINRA-registered?

TECH is a technology platform, not a registered broker-dealer or investment adviser. Members who are themselves registered use TECH in a way that supports their own compliance obligations — our archival and AI controls are designed to meet their expectations.

Where is data stored?

Primary region is AWS US-East-1 (N. Virginia) with DR in US-West-2 (Oregon). Enterprise customers can opt into EU-West-1 (Ireland) primary with US DR for DORA alignment.

Is TECH SOC 2 certified?

TECH operates to SOC 2 Type II controls during the pre-seed build and plans to complete the formal audit alongside the seed round. All practices documented here are in place today; the Type II report attests to their operation over a window.

API surface

GET /shield/compliance/logs/

Paginated audit log for your org

POST /shield/compliance/export/

Generate full compliance export (async)

POST /shield/compliance/verify-member/<org_id>/

Validate a counterparty's compliance status in real time

POST /shield/data-export/

Member-level CCPA / GDPR export

POST /shield/data-delete/

Member-level deletion request

POST /shield/audit-export/

Generate the administrative audit log only

Audit-ready, today

Open SHIELD → Compliance.

Every control described above is visible from that tab — export the trail, review consent records, monitor AI artefact lineage.

Open SHIELD →