Effective Date: June 3, 2026
Last updated: June 1, 2026
| Who We Are | RIA Compliance Technology |
|---|---|
| Who This Covers | Registered investment advisers and broker-dealers using our platform |
| What This Is | Our written commitment on how we handle your clients’ data |
| Regulatory Basis | Regulation S-P (17 CFR 248.30), as amended in 2024 (smaller-entity compliance date June 3, 2026) |
| Effective Date | June 3, 2026 |
| Last Updated | June 1, 2026 |
Amended Regulation S-P requires every registered investment adviser to obtain written confirmation from its vendors that they will notify the firm within 72 hours of a data breach. This document is that confirmation from RIA Compliance Technology. Print it, sign it, and file it in your Reg S-P vendor oversight records. If an SEC examiner asks whether you have documented your vendor’s data security obligations, this is the document you produce.
RIA Compliance Technology provides compliance technology to registered investment advisers and broker-dealers. Our platform archives your emails, text messages, and social media communications, monitors your trade data, and provides compliance calendar and reporting tools.
When you use our platform, we handle data that belongs to your clients — things like names, account information, and communications. We want to be clear about our role: we are a service provider. That means we process your clients’ data on your behalf, under your direction, and only for the purpose of providing our services to you. We are not the owner of that data and we do not use it for our own purposes.
In legal terms, you are the data controller and we are the data processor. This document sets out what that means in practice.
We will never do any of the following with your clients’ nonpublic personal information:
Amended Regulation S-P requires service providers like RIA Compliance Technology to notify you within 72 hours of becoming aware of any unauthorized access to your clients’ data. Your ability to meet your own 30-day customer notification deadline under Reg S-P depends on us notifying you promptly. Here is our formal commitment.
If we ever become aware of a security incident that involves your clients’ data, we commit to the following:
Notifications will be sent to your designated CCO and the administrator contact on record.
We maintain a written security program designed to protect your clients’ data. Here is what that includes, in plain terms.
If you ask us once a year for a summary of our security practices or a copy of our security certifications, we will provide it. We may also satisfy this by sharing a current SOC 2 Type II report or equivalent if we have one.
We use a small number of third-party vendors to help us deliver our platform — things like cloud hosting infrastructure. We call these vendors “sub-processors.” Here is how we manage them:
You are the data controller — meaning you are responsible for your clients’ data and your clients’ privacy rights. We are your service provider. Here is how we support you.
We will help you respond to those requests. If we receive a request directly from one of your clients, we will forward it to you within 5 business days rather than responding ourselves — because you are the controller, not us.
Some of the communications we archive for you (emails, texts, social media) are required by SEC and FINRA rules to be retained for specific periods. We cannot delete those records on request if doing so would violate your regulatory retention obligations. If a client asks to delete archived communications, you as the CCO need to determine whether a regulatory hold applies before directing us to delete.
If you are examined by the SEC, FINRA, or a state regulator and they ask about our platform or our data handling, we will cooperate with your examination and provide documentation they reasonably need about how we protect client data.
When you stop using our platform, we will retain your data for up to 90 days so you have time to export it. Within 30 days of your written request, we will delete your data and give you written confirmation that deletion is complete.
We have designed this agreement to meet the requirements of the following laws. Because we use California law as our minimum standard, this document covers you regardless of what state you operate in.
| Law | What It Means for You |
|---|---|
| Regulation S-P (amended 2024) | Requires RIAs to have written service-provider agreements including a 72-hour breach notification requirement. This document satisfies that requirement. |
| Gramm-Leach-Bliley Act (GLBA) | Federal law requiring financial firms to protect customer nonpublic personal information. We treat all your clients’ data as NPI subject to GLBA protections. |
| California CCPA/CPRA | The strictest U.S. state privacy law. We operate to this standard for all clients, not just California firms — no sale of data, no sharing for marketing, and full consumer-rights support. |
| Other state privacy laws (VA, CO, TX, etc.) | Because we follow the California standard, we already meet or exceed the requirements of all other current U.S. state privacy laws. |
When you sign up for RIA Compliance Technology and accept our Terms of Service, you are also accepting this Data Processing Addendum. This DPA is incorporated into our Terms of Service by reference. If there is ever a conflict between this DPA and our Terms of Service on a data protection matter, this DPA wins.
If we need to update this DPA — for example, because a law changes or our services change — we will give you at least 30 days’ notice before the new version takes effect. We will post updates at riacomptech.com/dpa. If you continue using our platform after the effective date of an update, that means you accept it.
This agreement shall be governed, construed, and enforced in accordance with the laws of the State of Arizona, without regard to its conflict-of-laws rules. Any controversy arising out of this agreement shall be settled by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. The number of arbitrators shall be one; the place of arbitration shall be Arizona; and Arizona law shall apply.
Indemnification and limitation of liability are governed by our Terms of Service and are not modified by this DPA. Nothing in this DPA expands or reduces those provisions, except that it confirms the data-security and breach-notification obligations set out above. Our breach-notification commitment in Section 3 applies regardless of any limitation of liability in the Terms of Service.
By accepting our Terms of Service at riacomptech.com, you agree to the terms of this Data Processing Addendum.
RIA Compliance Technology
If you have any questions or concerns regarding this Agreement, please contact us: