Leveridge handles sensitive client information: tax returns, property records, income data. This page explains exactly what we do with it, how we protect it, and what we never do with it.
Tax return PDFs are never stored. We extract the numbers and delete the file from memory within 60 seconds of completion. No PDF archive exists anywhere in our systems.
AI never trains on your clients' data. We use Amazon's AWS Bedrock, which has a zero data-retention policy. Model providers have zero access to your data.
Your clients' data belongs to you. We process it solely to provide the service you contracted for. We do not sell it or share it for any purpose other than operating the platform.
Everything is encrypted. Data at rest uses AES-256. All data in transit uses TLS 1.3. Passwords are never stored in readable form.
No other advisor can see your clients' data. Data isolation is enforced at the database layer. One advisor's data is never accessible to another.
Last reviewed: May 2026 · Questions? security@leveridge.ai
The PDF is held in memory during extraction and deleted within 60 seconds of completion.
Upload
The file is received into application memory only. It is never written to disk.
Fingerprint
A digital hash of the file is created for duplicate detection. We check if you've uploaded this file before.
AI Extraction
The PDF is sent to Amazon's AI service (AWS Bedrock) running within our private AWS environment. It extracts the financial data we need.
Data Saved
Only the structured financial data is saved to your account. Everything else is discarded.
PDF Deleted
All references to the PDF are released from memory. The file no longer exists anywhere in our systems: not on disk, not in cloud storage, not in any backup.
What we save
Household income and deductions
Property addresses and rental income
Expense categories and amounts
Tax year and filing status
Depreciation details
File name and fingerprint (advisor reference and duplicate detection)
What we never save
The PDF file itself, ever
Social Security Numbers
Signatures, handwritten notes, or annotations
W-2s, 1099s, or other attached source documents
Any data not needed for property analysis
If our database were ever breached, the attacker would find structured financial summaries. The same type of information in any financial planning file. There is no document archive, no scanned images, no original tax returns. You cannot steal what does not exist.
Leveridge uses AI for two specific purposes: tax return data extraction and property analysis insights. We use Amazon Web Services Bedrock, AWS’s managed AI inference service, operating entirely within our private AWS environment.
These are contractual commitments in our AWS service agreement. AWS Bedrock is covered by AWS’s SOC 2 Type II and ISO 27001 certifications.
Leveridge runs entirely on Amazon Web Services (AWS), US-West-1 (Northern California). All data processing and storage occurs within the United States.
Leveridge personnel access
Leveridge personnel do not access client data as part of normal operations. A small number of team members in engineering and operations can access client data in limited circumstances: when an advisor requests support assistance, to debug and troubleshoot platform issues, and where required by law. All such access is MFA-enforced and logged via AWS CloudTrail.
Availability & backups
Leveridge runs on AWS across multiple availability zones with automated database failover via AWS RDS. Client data is backed up on an encrypted, automated schedule. A written Business Continuity Plan covers vendor outage contingencies and service restoration procedures.
Leveridge is not your books-and-records custodian.
SEC Rule 204-2 requires RIAs to maintain books and records, typically 5 years for most records. This obligation belongs to your firm, not to Leveridge. Leveridge provides data export in JSON, CSV, and PDF formats at any time. We recommend establishing a regular export cadence as part of your firm’s recordkeeping program.
Your firm’s compliance obligations under GLBA and SEC Regulation S-P require you to vet and monitor your technology vendors. We support that with:
This document for your vendor oversight file
Our full Information Security White Paper, available on request at security@leveridge.ai
Responses to vendor security questionnaires (SIG Lite, SIFMA, or your firm's custom format) within 5 business days
Compliance review calls and support for SEC examinations
A note on our certifications
We are an early-stage company and do not yet hold independent certifications. We are honest about that. Our security program is designed in alignment with the GLBA Safeguards Rule, NIST Cybersecurity Framework, and SOC 2 Trust Services Criteria, though we do not claim formal certification at this stage. SOC 2 Type I is our near-term target (Q3 2026), with SOC 2 Type II targeted for Q2–Q3 2027. AWS holds the certifications relevant to the underlying infrastructure layer, including AWS RDS (PostgreSQL).
If you believe you’ve found a security vulnerability in Leveridge, we want to know. Please report it to security@leveridge.aiand we’ll acknowledge your report within 1 hour during business hours (4 hours outside business hours).
We will not pursue legal action against researchers who report vulnerabilities in good faith.
We respond to security questions and vendor questionnaires within 5 business days. To request the Information Security White Paper or submit a security questionnaire, email us directly.