Our trust posture, in plain language.

What we promise. What we sign. What we do. What we do not yet have. This page is meant to be readable by a counterparty's general counsel, a compliance officer preparing for examination, and an AI auditor looking for evidence — without gates, NDAs, or “request access” forms.

Last reviewed: April 28, 2026. Reviewed quarterly. Change log at the bottom of this page.

Four things we commit to in writing.

The shortest possible answer to the most common vendor due-diligence questions. Each of these is a contractual commitment in our standard engagement, not a marketing line.

1. ICommitment

   Business Associate Agreement on request, signed before kickoff

   Any engagement involving Protected Health Information includes a HIPAA Business Associate Agreement signed before any access to PHI. We use the Common Paper BAA template, customized for AI-specific data flows. Subcontractor BAAs are executed with any sub-processors that may handle PHI, with the same restrictions and conditions that apply to Altaarx. We routinely engage with mid-market medical practices and digital-health startups under HIPAA scope.

2. IICommitment

   72-hour incident notification under Reg S-P

   When a covered institution — registered investment adviser, broker-dealer, investment company, transfer agent — engages Altaarx, Altaarx is a "service provider" under SEC Regulation S-P §248.30(b)(4). Our engagement contract binds us to written notification of any unauthorized access to or use of Customer Information within 72 hours of discovery, in the form and content the covered institution requires for its own 30-day customer-notification obligation. This commitment is contractual, not aspirational.

3. IIICommitment

   Mutual NDA available before any sensitive disclosure

   A mutual non-disclosure agreement is signed before any discussion that requires disclosure of confidential information — system architecture, data flows, prior incidents, board minutes, regulatory correspondence. Our standard MNDA is reciprocal, three-year survival on confidentiality obligations, with carve-outs for residuals, independently developed information, and information rightfully obtained from third parties. Available on request.

4. IVCommitment

   Client data stays in the client's environment by default

   Our default engagement model is to operate inside the client's tenant — Google Workspace, Microsoft 365, AWS, GCP, Azure, on-premises — under a least-privilege account provisioned by the client and revoked by the client at engagement end. We do not require copies of client data on Altaarx infrastructure. Where a working copy is genuinely necessary (rare; documented case-by-case), it is encrypted in transit and at rest, on hardware-key-protected, FileVault-encrypted endpoints, and is destroyed or returned at engagement end with written certification.

The standards every engagement maps to.

Each engagement is mapped to whichever subset of these frameworks actually examines the client. We don't promise certifications we don't hold; we deliver work product that survives examination under the frameworks below.

• NIST Cybersecurity Framework

  v2.0 (Feb 2024)

  The baseline cyber-risk vocabulary every regulated buyer references. Our audit deliverable maps controls to the six functions: Govern, Identify, Protect, Detect, Respond, Recover.

• NIST AI Risk Management Framework

  AI 100-1 + Generative AI Profile AI 600-1

  The U.S. de facto standard for AI governance. Required mapping for any engagement involving generative or agentic AI.

• ISO/IEC 27001:2022

  Information security management

  Used when the client carries — or is preparing for — ISO 27001 certification, especially European subsidiaries and multi-jurisdictional family offices.

• ISO/IEC 42001:2023

  AI management systems

  The first international standard for AI management systems. Increasingly cited in vendor contracts and procurement frameworks.

• HIPAA Security Rule

  45 CFR §§ 164.302–164.318

  Administrative, physical, and technical safeguards for ePHI. The 2026 NPRM updates remove "addressability" — MFA, encryption, and segmentation become required, not optional.

• PCI DSS

  v4.0.1 (current)

  Required for any payment-card data path. Our work explicitly avoids putting AI in the cardholder data environment unless requirement-by-requirement mapping is documented.

• GDPR

  Regulation (EU) 2016/679

  Applied when the client serves EU data subjects, including U.S.-based family offices with European LP investors or beneficiaries.

• SEC Regulation S-P

  17 CFR Part 248, as amended May 16, 2024

  Smaller adviser compliance June 3, 2026. Service-provider oversight, 72-hour breach notification, 30-day customer notification.

• CIS Controls

  v8.1

  Practical implementation of the higher-level frameworks. Used as a check on our own audit deliverable for completeness.

• OWASP Top 10

  2021 (web) + LLM Top 10 v2 (2025)

  Web-application security and LLM-specific risks: prompt injection, insecure output handling, training-data poisoning, supply-chain attacks, sensitive-information disclosure, model denial-of-service.

• U.S. Treasury FS AI RMF

  Released February 19, 2026

  Financial Services AI RMF aligned with SR 11-7 model risk management. Newly relevant for RIA, broker-dealer, and bank-affiliated client engagements.

For RIAs, broker-dealers, and covered institutions.

If Altaarx is engaged by a covered institution under SEC Regulation S-P, Altaarx is a “service provider” under §248.30(b)(4). Below is what your written service-provider oversight policy gets when you engage us. This section is written for the compliance officer preparing the next exam and the general counsel reviewing the MSA.

For covered entities and business associates.

Altaarx is a HIPAA business associate when engaged by a covered entity or by another business associate to perform functions involving PHI.

What our day-to-day looks like.

The mechanics. None of this is speculative — these are the controls in place on the engagement infrastructure as of the date at the bottom of this page.

Default engagement environment

Work inside the client's tenant. Least-privilege account provisioned by the client; revoked by the client at engagement end. Altaarx does not require copies of client data on Altaarx-controlled infrastructure.

Endpoint security

macOS endpoints with FileVault full-disk encryption, Gatekeeper code-signing enforcement, XProtect malware scanning, automatic OS security updates, and a dedicated client-engagement profile separate from personal use. iOS / iPadOS endpoints with passcode + biometric, Find My, and remote wipe.

Authentication

Hardware-key-enforced MFA (FIDO2 / WebAuthn) on every account that touches client systems or sensitive infrastructure. Phishing-resistant by design. No SMS-based 2FA for any privileged account.

Credential storage

1Password, with dedicated vaults per client engagement. Master credentials and recovery keys stored in secure offline backup. No credentials in chat, email, code, or unencrypted notes.

Encryption in transit

TLS 1.2+ on every connection. TLS 1.3 preferred where supported. SSH over the strongest mutually-supported cipher (Ed25519 / Curve25519 / AES-256-GCM). Strict DNS resolvers (DNS-over-HTTPS or DNS-over-TLS where infrastructure permits).

Encryption at rest

FileVault on macOS endpoints. Encrypted git repositories (git-crypt or equivalent) for any work product that contains sensitive data. Cloud-side encryption-at-rest for all storage backends in scope (AES-256).

Network

No client-data transit over consumer Wi-Fi without VPN. Travel posture: no work on hotel or airport networks; mobile hotspot with WPA3 only.

Backup

Time Machine to a hardware-encrypted volume, plus encrypted off-site backup of work-product repositories. Backup encryption keys held separately from backup media.

Logging

Engagement work performed within client systems is logged by the client's existing audit infrastructure. Where Altaarx maintains its own working copy (rare), access is logged locally and the log is provided on request.

Engagement scoping document

Every engagement begins with a written scoping document specifying: data categories in scope, systems in scope, access pattern (federated, copy, observe-only), retention period for any working copies, destruction or return procedure at engagement end, breach-notification path, and SLA on response. Signed by both sides before access.

Disposal

Working copies of client data are destroyed at engagement end via cryptographic erasure (key destruction) for cloud-side storage and secure-delete for local working copies. Written certification of destruction provided on request.

The vendors behind Altaarx itself.

Altaarx is small but not solo at the infrastructure layer. Below is the current list of vendors and tools that support Altaarx's own operations. This list is updated when sub-processors are added, changed, or removed. Material changes are noted in the change log at the bottom of this page.

What's behind the work.

Standard contracts and insurance coverage provide the legal and financial backstop a sophisticated counterparty expects from any service provider.

Coordinated disclosure.

Altaarx welcomes security research conducted in good faith on altaarx.com and any Altaarx-operated infrastructure. We follow a standard 90-day coordinated disclosure window.

What's not yet here, and why.

Altaarx is a new entity. Some maturity signals take time. Listing them honestly is itself a trust signal — the firm you should be most worried about is the one claiming a posture it hasn't earned yet. Below is what we don't have, why, and when.

SOC 2 Type II

Planned: Year 2. Type I scoped first (~6 months from launch), Type II (12-month observation period) following. Initial audit budget ~$30,000–$50,000.

ISO/IEC 27001 certification

Planned: Year 3, if a client engagement materially benefits from Altaarx-side certification (most engagements do not, because controls live in the client's environment).

ISO/IEC 42001 certification

Considering for Year 3. The standard is new (2023); auditor capacity is still maturing; the value to small consultancies is debated. We will revisit annually.

Penetration test report

Planned: Year 1, post-first-engagement. The site itself has been audited by a single qualified practitioner (the founder, with PenTest+); a third-party pen-test will be commissioned once there is engagement-controlled infrastructure that justifies the spend.

Public client roster

None yet — Altaarx launched April 2026. First public case studies expected Q4 2026 once first engagements complete and clients give written consent for attribution. We will not publish client names without written consent, ever.

Bug bounty program

Considering after first engagement. Coordinated disclosure (above) is in place now; a paid bounty program is overhead that does not yet match the attack surface.

24/7 staffed SOC

Out of scope for Altaarx's service model. Altaarx is not a managed-security provider; clients with 24/7 monitoring requirements should engage an MSSP in addition to Altaarx.

Multi-region data residency

Not applicable — Altaarx does not by default store client data on Altaarx-controlled infrastructure. Where a working copy is required, residency is documented in the engagement scoping document.

An examiner cannot audit a vendor that hides its limitations. We would rather lose an engagement to a buyer who needed something we don't have than win one we can't deliver against.

Where to check.

Independent verification paths for the claims on this page.

Founder identity and credentials

ORCID iD 0009-0006-6888-5396 (registered 2026-04-28). Capitol Technology University doctoral registration verifiable through the institution's registrar. WGU degrees verifiable through the National Student Clearinghouse. CompTIA certifications (Sec+, CySA+, PenTest+) verifiable at verify.comptia.org. ISC2 SSCP verifiable at verify.isc2.org.

Entity

Delaware Division of Corporations entity search (icis.corp.delaware.gov). Florida foreign qualification verifiable at search.sunbiz.orgonce filed. Florida fictitious name “Altaarx” verifiable at the same URL once registered.

Domain control

DNS records at altaarx.com publicly resolvable. SPF, DKIM, DMARC records published. SSL certificate issued via Cloudflare and verifiable at crt.sh.

Documents on request

Certificate of insurance, BAA template, MSA / SOW templates, MNDA template, sub-processor list (current version), engagement scoping document template — provided to engaged or prospective clients on request, under MNDA where the document contains commercial terms.

Direct line

A real person responds to inquiries via the contact form on the homepage. Replies within one business day. Founder is the responder for any pre-engagement question.

Page version and history.

This version: v1.0 — Published April 28, 2026.

Reviewed quarterly minimum. Material changes — adding or removing a sub-processor, changing a binding commitment, updating a regulatory effective date — are logged below with the date of change. Editorial changes (typo fixes, link refreshes) are not logged.

1. 2026-04-28

   v1.0 published. Initial trust posture document covering frameworks, Reg S-P and HIPAA service-provider commitments, operational security controls, sub-processor list, insurance and contracts posture, vulnerability reporting, year-1 transparency disclosure, and verification paths.