Leveridge handles sensitive client information — tax returns, property records, income data. This page explains exactly what we do with it, how we protect it, and what we never do with it.
Tax return PDFs are never stored. We extract the numbers and delete the file from memory within 60 seconds. No PDF archive exists anywhere in our systems.
AI never trains on your clients' data. We use Amazon's AWS Bedrock, which has a zero data-retention policy. Model providers have zero access to your data.
Your clients' data belongs to you. We process it solely to provide the service you contracted for. We do not sell it or share it for any purpose other than operating the platform.
Everything is encrypted. Data at rest uses AES-256. All data in transit uses TLS 1.3. Passwords are never stored in readable form.
No other advisor can see your clients' data. Data isolation is enforced at the database layer. One advisor's data is never accessible to another.
The entire process takes 30–60 seconds from upload to deletion.
Upload
The file is received into application memory only. It is never written to disk.
Fingerprint
A digital hash of the file is created for duplicate detection. We check if you've uploaded this file before.
AI Extraction
The PDF is sent to Amazon's AI service (AWS Bedrock) running within our private AWS environment. It extracts the financial data we need.
Data Saved
Only the structured financial data is saved to your account. Everything else is discarded.
PDF Deleted
All references to the PDF are released from memory. The file no longer exists anywhere in our systems — not on disk, not in cloud storage, not in any backup.
What we save
Household income and deductions
Property addresses and rental income
Expense categories and amounts
Tax year and filing status
Depreciation details
File fingerprint (duplicate detection only)
What we never save
The PDF file itself — ever
Social Security Numbers
Signatures, handwritten notes, or annotations
W-2s, 1099s, or other attached source documents
Any data not needed for property analysis
If our database were ever breached, the attacker would find structured financial summaries. The same type of information in any financial planning file. There is no document archive, no scanned images, no original tax returns. You cannot steal what does not exist.
Leveridge uses AI for two specific purposes: tax return data extraction and property analysis insights. We use Amazon Web Services Bedrock, AWS’s managed AI inference service, operating entirely within our private AWS environment.
These are contractual commitments in our AWS service agreement. AWS Bedrock is covered by AWS’s SOC 2 Type II and ISO 27001 certifications.
Leveridge runs entirely on Amazon Web Services (AWS), US-West-1 (Northern California). All data processing and storage occurs within the United States.
Our internal tools (Slack, GitHub, Linear, CRM) do not have access to client data.
Leveridge is not your books-and-records custodian.
SEC Rule 204-2 requires RIAs to maintain books and records — typically 5 years for most records. This obligation belongs to your firm, not to Leveridge. Leveridge provides data export in JSON, CSV, and PDF formats at any time. We recommend establishing a regular export cadence as part of your firm’s recordkeeping program.
Your firm’s compliance obligations under GLBA and SEC Regulation S-P require you to vet and monitor your technology vendors. We support that with:
This document for your vendor oversight file
A Data Processing Agreement (DPA) formalizing our security obligations, including your right to request documentation of our security controls
Our full Information Security White Paper (available upon request)
Responses to vendor security questionnaires (VSA or your firm's custom questionnaire) within 5 business days
Compliance review calls and support for SEC examinations
A note on our certifications
We are an early-stage company and do not yet hold independent certifications. We are honest about that. Our security program is designed in alignment with the GLBA Safeguards Rule, NIST Cybersecurity Framework, and SOC 2 Trust Services Criteria — though we do not claim formal certification at this stage. SOC 2 Type II is targeted for Q2 2027. Our infrastructure providers (AWS and AWS RDS (PostgreSQL)) hold the certifications relevant to the underlying infrastructure layer.
We respond to security questions and vendor questionnaires within 5 business days. To request a DPA or the full Information Security White Paper, email us directly.