Trust & Security

Security Overview

Tidal is built for financial advisors who take their fiduciary responsibility seriously. Client data security is not an afterthought — it's the foundation every decision is built on.

Architecture

Tidal is a single-tenant SaaS platform. Each advisory firm operates on a completely isolated Supabase database instance — there is no shared database infrastructure between firms. Your client data never touches another firm's database, and there is no multi-tenant pooling or shared storage.

All data is stored in Supabase (PostgreSQL) hosted on AWS with AES-256 encryption at rest. All data in transit is encrypted via TLS 1.3. Row-level security (RLS) policies are enforced at the database layer, ensuring that authenticated users can only access data within their firm.

The application layer runs on Vercel's serverless edge infrastructure, distributed globally for performance and resilience. No server state is maintained between requests.

Security Features

AES-256 Encryption at Rest

All database records, file attachments, and stored credentials are encrypted using AES-256. Keys are managed by Supabase's enterprise key management system.

TLS 1.3 in Transit

All connections between clients, the application, and the database use TLS 1.3. No unencrypted communications are permitted.

Complete Tenant Isolation

Each firm gets its own dedicated Supabase project. No shared database, no shared storage. Your data has zero contact with other firms' environments.

TOTP Multi-Factor Authentication

TOTP-based MFA is required for all users. Device trust is managed via HMAC-signed cookies with a 30-day expiry. Session timeout after 8 hours of inactivity.

SSN Auto-Stripping

The system is explicitly designed to never store full Social Security Numbers. Only the last 4 digits are retained for identification purposes.

Account Number Protection

Full financial account numbers are never stored. Only the last 4 digits are retained in the database.

Row-Level Security

PostgreSQL RLS policies enforce data access controls at the database layer. Every table requires authentication, and policies are audited on every migration.

AI Data Policy

Client data submitted to AI providers (Anthropic Claude, OpenAI Whisper) is processed under zero-data-retention agreements. Your data is never used to train AI models.

Subprocessors

Anthropic·AI language model provider

Powers document extraction, email drafting, opportunity detection, and client intelligence. Processes client document text under a zero-data-retention agreement.

SOC 2 Type II

OpenAI·Audio transcription

Processes meeting audio recordings via Whisper for transcription. Audio is not retained beyond the API request.

SOC 2 Type II

Supabase·Database & storage infrastructure

Hosts the PostgreSQL database, authentication system, and file storage. Each firm runs on an isolated Supabase project hosted on AWS.

SOC 2 Type II, HIPAA eligible

Vercel·Application hosting & edge network

Runs the Next.js application and serverless API functions. All code executes in isolated serverless functions with no persistent server state.

SOC 2 Type II

Compliance Status

SOC 2 Type IIn progress

SOC 2 Type IIPlanned 2026

FINRA RecordkeepingAdvisor-managed

SEC Reg S-P complianceArchitecture aligned

Questions or due diligence?

We make our vendor due diligence package available to any registered investment advisor evaluating Tidal. Contact us to request the full documentation.

Request Due Diligence Package

security@riawave.com