A small private practice can ship a stronger security posture than most boutiques. The reasons are structural. We do not collect what we do not need, we encrypt what we do hold, and the people who can read it are the people you have already met.
Principles, not policies.
Compliance documents drift. Principles do not. We hold ourselves to four, and the operational rules below all derive from them.
Minimal disclosure
We collect what we need to do the work, nothing more. We never ask for an SSN, a passport scan, or a bank statement during the apply phase. KYC, where required, runs through an external partner and we hold a token, not the underlying document.
Encryption by default
Client files are encrypted at rest with envelope encryption. Inter-service traffic is mutually authenticated. Reads on the file are logged. The encrypted channel is end-to-end encrypted with client-held keys for Cover and above.
Time-bounded retention
A 24-month rolling window by default. A 6-month minimal-retention setting available on request. After the window, signals on your file are aggregated to anonymous statistics and the originals are erased.
Out-of-band verification
Voice instructions are verified through a separate channel, agreed in writing during onboarding. No transaction, transfer authorisation, or material disclosure runs on a voice call alone.
Data lifecycle.
Three structurally separated stores. Names never travel with signals. Originals don't outlive the window.
The operational rules.
Hosting
EU-residency only. Frankfurt and Amsterdam regions across two providers. EU-residency only. Disaster recovery is also EU-resident.
Authentication
Hardware-key MFA mandatory for all team accounts. SSO is not used because it is a single point of compromise for a small team. Each system has a separate credential, rotated quarterly.
Client identifiers
Each client has a non-reversible reference, the M-XXXXXX you saw at application. Internally, we work from the reference, not the name. Names sit in a separate, encrypted table that is read on a per-action basis with audit log.
Logging and audit
Every read on a client file is logged with team member, timestamp, and reason. Clients on Cover and above can request the audit log on their file at any time, and we provide it within five working days.
Inter-team communication
Operational discussion runs on Signal between team clients and on the encrypted channel with clients. Email is for transactional and brief delivery. Slack and similar broadcast tools are not used for client matters.
Backups
Encrypted backups to a third region, tested for restore quarterly. Backups are also rolling 90-day, with a separate retention envelope. The keys for backup decryption are held by Kerem and Yelena, separately, with an M-of-N recovery procedure.
Vendor reviews
We review the security posture of every vendor that touches client data once a year. The list is short and the review is not pro forma. Vendors that fail the review are replaced.
Response readiness
A documented runbook for security incidents that affect us or our vendors. Clients are notified within 72 hours of confirmed exposure or sooner where regulation requires. We do not delay notification to manage narrative.
What we do not do.
×
We do not store credit card numbers, bank account numbers, or wire instructions. Billing runs through a payment processor we do not control.
×
We do not run background checks on our clients. The application reviews capacity and fit, not their criminal history.
×
We do not share client data with third parties. Not with regulators absent a valid order, not with affiliates, not in aggregate.
×
We do not use client data to train AI. Period. The system uses public data and our own historical signal database, not client files.
If this is for you
The watch begins with one message.
Three subscriptions and one single review. Read the tiers, or open the application directly. Anonymous engagement supported.