Security White Paper

Effective Date: March 2026

This document outlines Tactive's comprehensive approach to security, privacy, and compliance. It is intended for current and prospective clients, partners, and auditors who need to understand our security posture.

1. Executive Summary

Tactive is a technology platform built for financial advisors and wealth management firms. Because we operate in a highly regulated industry and handle sensitive financial data, security is not an afterthought — it is foundational to every layer of our architecture, operations, and culture.

This white paper details the policies, controls, and certifications that protect our platform and the data entrusted to us by our clients.

2. Certifications & Compliance Frameworks

2.1 SOC 2 Type II

Tactive has completed a SOC 2 Type II audit conducted by an independent third-party auditor. This certification validates that our security controls operate effectively over an extended period — not just at a single point in time. The audit covers the Trust Services Criteria:

  • Security — Protection against unauthorized access
  • Availability — System uptime and operational resilience
  • Confidentiality — Protection of confidential information
  • Processing Integrity — Accurate and complete data processing
  • Privacy — Personal information handling in accordance with commitments

2.2 ISO 27001

Tactive maintains an Information Security Management System (ISMS) aligned with ISO/IEC 27001. This international standard requires us to:

  • Systematically assess information security risks
  • Design and implement comprehensive controls
  • Adopt an ongoing management process to ensure controls remain effective
  • Conduct regular internal audits and management reviews

2.3 ISO/IEC 42001 — AI Management Systems

As an AI-powered platform, Tactive adheres to ISO/IEC 42001, the international standard for responsible AI management. This certification demonstrates our commitment to:

  • Risk-based AI governance — Identifying and mitigating risks specific to AI systems, including bias, hallucination, and unintended outcomes
  • Transparency — Providing clear explanations of how AI features generate outputs, including our ScruffGuard verification framework
  • Accountability — Maintaining human oversight and auditability for all AI-driven recommendations
  • Data quality — Ensuring training data and retrieval sources meet accuracy and relevance standards
  • Continuous monitoring — Tracking AI model performance, drift, and compliance over time

2.4 GDPR

Tactive complies with the General Data Protection Regulation (GDPR) for all users in the European Economic Area. Our GDPR program includes:

  • Lawful basis for processing — We identify and document the legal basis for each data processing activity
  • Data minimization — We collect only the data necessary for the stated purpose
  • Individual rights — Users can exercise their rights to access, rectify, erase, restrict processing, data portability, and object to processing
  • Data Protection Impact Assessments (DPIAs) — Conducted for high-risk processing activities
  • Cross-border transfers — Data transferred outside the EEA uses approved mechanisms (Standard Contractual Clauses)
  • Breach notification — Supervisory authorities and affected individuals are notified within 72 hours of a qualifying breach

2.5 CCPA

Tactive complies with the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). This includes:

  • Right to know — California residents can request details about the personal information collected about them
  • Right to delete — Users can request deletion of their personal information
  • Right to opt-out — Users can opt out of the sale or sharing of their personal information
  • Right to non-discrimination — We do not discriminate against users who exercise their privacy rights
  • Data retention limits — Personal information is retained only as long as necessary for the stated purpose

3. Infrastructure Security

3.1 Cloud Architecture

Tactive is deployed on Amazon Web Services (AWS), leveraging a modern serverless architecture:

  • Compute — AWS Lambda and AWS Amplify for serverless execution with automatic scaling
  • Database — AWS Aurora PostgreSQL with encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Storage — Amazon S3 with server-side encryption, versioning, and lifecycle policies
  • Networking — Virtual Private Cloud (VPC) with private subnets, security groups, and network ACLs
  • CDN — Amazon CloudFront with TLS termination and DDoS protection via AWS Shield

3.2 Encryption

  • At rest — All data is encrypted using AES-256 encryption. Database encryption uses AWS-managed keys via AWS KMS.
  • In transit — All communications use TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on all endpoints.
  • Application-level — Sensitive fields (API keys, credentials) are encrypted at the application layer before storage.

3.3 Network Security

  • All services operate within private VPC subnets with no direct internet exposure
  • Ingress is restricted to CloudFront distributions and VPN endpoints
  • Security groups follow the principle of least privilege
  • VPC Flow Logs are enabled for traffic monitoring and anomaly detection

4. Application Security

4.1 Secure Development Lifecycle

  • Code review — All changes require peer review before merge
  • Static analysis — Automated linting and type checking (Biome, TypeScript strict mode) on every pull request
  • Dependency scanning — Automated vulnerability scanning of third-party packages
  • Secret management — Secrets are stored in AWS SSM Parameter Store and injected at runtime; never committed to source control
  • Environment separation — Development, staging, and production environments are fully isolated

4.2 Authentication & Authorization

  • Authentication — Powered by Better Auth with support for email/password, SAML SSO, and multi-factor authentication (MFA)
  • Session management — Secure, HTTP-only, SameSite cookies with configurable session lifetimes
  • Role-based access control (RBAC) — Granular permissions ensure users only access resources appropriate to their role
  • Admin controls — Organization administrators can manage team members, enforce SSO, and configure security policies

4.3 API Security

  • All API endpoints require authenticated sessions
  • Input validation and schema enforcement via Zod on every request
  • Rate limiting to prevent abuse
  • CORS policies restrict cross-origin requests to authorized domains

4.4 AI-Specific Security (ScruffGuard)

Tactive's AI features are protected by ScruffGuard, our proprietary verification framework:

  • Source attribution — Every AI-generated insight includes traceable references to its data sources
  • Hallucination detection — Automated checks verify AI outputs against authoritative data before delivery
  • Human-in-the-loop — AI recommendations are always presented as suggestions, with advisor approval required for client-facing outputs
  • Prompt injection protection — Input sanitization and guardrails prevent manipulation of AI behavior
  • Audit trail — All AI interactions are logged with timestamps, inputs, outputs, and model versions for full traceability

5. Data Protection

5.1 Data Classification

Tactive classifies data into four tiers:

| Classification | Description | Examples | |---|---|---| | Public | Freely available | Marketing content, public documentation | | Internal | For internal use | Internal processes, non-sensitive configs | | Confidential | Business-sensitive | Client lists, financial models, proprietary algorithms | | Restricted | Highest sensitivity | PII, financial account data, authentication credentials |

Each tier has defined handling requirements for storage, transmission, access, and disposal.

5.2 Data Retention & Disposal

  • Data retention periods are defined per data type and regulatory requirement
  • Client data is retained for the duration of the service agreement plus the legally required retention period
  • Upon account termination, client data is securely deleted within 90 days, with certification available upon request
  • Backups follow the same retention schedule and are encrypted with separate key management

5.3 Data Residency

  • Primary data processing and storage occurs in AWS US regions
  • Clients can request data residency information for compliance with local regulations
  • Cross-border data transfers comply with applicable frameworks (GDPR SCCs, as required)

6. Operational Security

6.1 Access Management

  • All employee access follows the principle of least privilege
  • Access to production systems requires MFA and is granted on a need-to-know basis
  • Access reviews are conducted quarterly
  • Employee offboarding includes immediate revocation of all system access

6.2 Logging & Monitoring

  • Audit logs — All authentication events, data access, and administrative actions are logged
  • Centralized monitoring — Logs are aggregated and analyzed for security events
  • Alerting — Real-time alerts for suspicious activity, unauthorized access attempts, and system anomalies
  • Retention — Security logs are retained for a minimum of 12 months

6.3 Incident Response

Tactive maintains a documented Incident Response Plan:

  1. Detection — Automated monitoring and manual reporting channels
  2. Triage — Severity classification and response team activation
  3. Containment — Immediate measures to limit impact
  4. Eradication — Root cause identification and remediation
  5. Recovery — Service restoration and verification
  6. Post-incident review — Lessons learned and control improvements

Clients are notified within 72 hours of any incident affecting their data, in accordance with regulatory obligations.

6.4 Business Continuity & Disaster Recovery

  • RPO (Recovery Point Objective) — Less than 1 hour for critical data
  • RTO (Recovery Time Objective) — Less than 4 hours for platform availability
  • Multi-AZ database deployment ensures automatic failover
  • Regular disaster recovery drills are conducted and documented
  • Backups are tested quarterly for integrity and restorability

7. Vendor Management

  • All third-party vendors undergo security review before onboarding
  • Vendors with access to client data must demonstrate SOC 2 or equivalent certification
  • Data Processing Agreements (DPAs) are executed with all sub-processors
  • Vendor risk assessments are reviewed annually

Key sub-processors include:

| Vendor | Purpose | Certification | |---|---|---| | Amazon Web Services | Cloud infrastructure | SOC 2, ISO 27001, FedRAMP | | Vercel | Frontend hosting | SOC 2 | | OpenAI | AI model inference | SOC 2 | | Anthropic | AI model inference | SOC 2 |

8. Employee Security

  • Background checks are conducted for all employees with access to production systems
  • Security awareness training is mandatory during onboarding and refreshed annually
  • Phishing simulation exercises are conducted regularly
  • All employees sign confidentiality and acceptable use agreements

9. Physical Security

Tactive operates as a cloud-first organization. Physical security controls are inherited from our cloud infrastructure providers:

  • AWS data centers maintain SOC 2, ISO 27001, and FedRAMP certifications
  • Physical access to data centers requires multi-factor authentication, biometric scanning, and 24/7 security monitoring
  • For Tactive offices, access controls, visitor management, and clean desk policies are enforced

10. Penetration Testing & Vulnerability Management

  • External penetration tests are conducted annually by independent third-party firms
  • Internal vulnerability scans are performed weekly
  • Critical vulnerabilities are triaged and remediated within 24 hours
  • High-severity vulnerabilities are patched within 7 days
  • Remediation progress is tracked and reported to leadership

11. Client Security Controls

Tactive provides clients with configurable security features:

  • SAML SSO — Integrate with your identity provider (Okta, Azure AD, Google Workspace, etc.)
  • Multi-factor authentication — Enforce MFA for all team members
  • IP allow-listing — Restrict platform access to approved IP ranges
  • Audit logs — View detailed activity logs for your organization
  • Session management — Configure session timeout and concurrent session limits
  • Data export — Export your data at any time in standard formats

12. Regulatory Alignment

As a platform serving financial advisors and wealth management firms, Tactive is designed with financial industry regulations in mind:

  • SEC/FINRA — Audit trail and record-keeping capabilities support compliance with SEC Rule 17a-4 and FINRA supervision requirements
  • SOX — Internal controls and access management support Sarbanes-Oxley compliance for applicable clients
  • State privacy laws — In addition to CCPA, Tactive monitors and adapts to emerging state privacy legislation

13. Contact & Reporting

For security inquiries, audit requests, or to report a vulnerability:

  • Email: security@tactive.com
  • Responsible disclosure: We welcome security researchers to report vulnerabilities through our responsible disclosure program. Please contact security@tactive.com with details.

This document is reviewed and updated at least annually, or more frequently as regulations, certifications, or our infrastructure evolve. The most current version is always available at this URL.