Trust & Safety

Security

Last updated: June 9, 2025

Security is not optional for a financial advisor platform. Your leads’ data, your clients’ information, and your practice’s reputation depend on it. Here is exactly how we protect it.

Data Encryption

In Transit

All data transmitted between your browser, the AdvisorApex servers, and our database is encrypted using TLS 1.3. HTTP connections are automatically redirected to HTTPS. Our SSL certificates are maintained by Vercel and renewed automatically.

At Rest

All database storage is encrypted at rest using AES-256. This includes your advisor profile, all lead records, CASL consent logs, appointment notes, and AI agent action logs. Stripe handles payment card data on their PCI-DSS compliant infrastructure — we never store raw card numbers.

Canadian Data Residency

Our primary database runs on Supabase PostgreSQL in the ca-central-1 (Canada Central) region. This means your data and your leads’ data is physically stored within Canada, consistent with PIPEDA requirements and supporting your obligations under provincial privacy legislation.

Application servers are deployed on Vercel’s edge network. While Vercel may serve requests from edge nodes globally for performance, all database reads and writes execute in Canada.

Access Controls

  • Authentication: Powered by Clerk — supports email/password, Google OAuth, and multi-factor authentication (MFA). We strongly recommend enabling MFA on your account.
  • Row-Level Security: Our database enforces row-level security policies — your data is cryptographically isolated from other organisations on the platform. Even in the event of a misconfiguration in application code, the database layer enforces tenancy boundaries.
  • Employee access: AdvisorApex staff access to production data requires explicit approval, is logged, and is time-limited. No employee has standing access to client data.
  • API keys: All third-party API keys and secrets are stored as encrypted environment variables, never in source code.

Infrastructure Security

  • Vercel provides DDoS protection and Web Application Firewall (WAF) on all production deployments.
  • Database connections use connection pooling with TLS and require credentials that rotate regularly.
  • Cron jobs and internal APIs are protected by a secret token — no unauthenticated access to internal endpoints.
  • Dependencies are monitored for known CVEs. Critical security patches (such as Next.js CVE-2025-66478) are applied within 24 hours of a fix becoming available.

Vulnerability Disclosure

If you discover a security vulnerability in AdvisorApex, please report it responsibly. Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue.

Security contact: security@advisorapex.ca

We commit to acknowledging all reports within 48 hours and providing a resolution timeline within 7 business days for critical issues.

Breach Notification

In the event of a data breach that poses a real risk of significant harm, we will notify affected users and report to the Office of the Privacy Commissioner of Canada as required under PIPEDA. We will provide clear information about what data was affected, the steps we have taken, and what you can do to protect yourself.