Vendor Due Diligence Questionnaire

1.1 Legal entity name and jurisdiction of incorporation?

Entropy Financial Technologies, Inc. Incorporated in Delaware, United States.

1.2 Principal office address?

5 Vaughn Drive, Princeton, NJ 08540, United States.

1.3 What services does the company provide?

entropyFA is a private AI wealth management platform providing continuous wealth oversight for financial advisors, family offices, and families. The platform uses proprietary AI agents for financial planning, portfolio management, research, compliance monitoring, and workflow coordination.

1.4 Does the company carry professional liability / errors & omissions insurance?

Yes. entropyFA maintains professional liability and errors & omissions insurance. Coverage details available upon request under NDA.

2.1 What encryption standards are used for data at rest?

AES-256 encryption for all data at rest. Per-family encryption keys ensure cryptographic isolation between client households.

2.2 What encryption standards are used for data in transit?

TLS 1.3 for all data in transit. No exceptions for internal or external communications.

2.3 How are encryption keys managed?

Encryption keys are managed through our cloud provider's key management service with hardware security module (HSM) backing. Per-family keys ensure tenant isolation at the cryptographic level. Keys are rotated on a regular schedule.

2.4 Is multi-factor authentication (MFA) required?

Yes. MFA is enforced for all user accounts. There is no option to disable MFA.

3.1 Is client data used to train AI models?

No. Client data is never used to train, retrain, fine-tune, or improve any AI or machine learning model. This is a binding contractual commitment enforced at the architectural level. See our Data Confidentiality Agreement, Section 1.

3.2 Is client data sold, shared, or monetized?

No. We will never sell, share, lease, license, or monetize client data. This is a contractual covenant. See our Data Confidentiality Agreement, Section 2.

3.3 Where is client data stored and processed?

Exclusively in the United States on SOC 2 certified cloud infrastructure. No data is transferred to, processed in, or stored outside the United States.

3.4 How is data isolated between clients?

Per-family data isolation with dedicated access boundaries. Data is never commingled across households in queries, processing, or storage. Cryptographic isolation via per-family encryption keys.

3.5 What personal and financial data is processed?

entropyFA processes data that you or your advisor explicitly provide — documents you upload, accounts you connect, information you enter. We may also reference publicly available information (such as public records or professional profiles) to enrich household context for your benefit. We never purchase third-party data, track browsing behavior, or collect data from non-public sources without your knowledge.

4.1 How is user access controlled?

Role-based access control (RBAC) ensures users only access data and functions appropriate to their role. Access permissions are configured per account and reviewed periodically.

4.2 How is employee access to client data controlled?

Employee access to client data is restricted to authorized personnel on a need-to-know basis. All employee access is logged and auditable. Background checks are conducted for all employees with data access.

4.3 Are access logs maintained?

Yes. Comprehensive audit logs capture all user logins, data access events, configuration changes, AI agent actions, and administrative operations. Logs are retained for a minimum of seven (7) years and are available to clients upon written request.

5.1 Where is the platform hosted?

entropyFA is hosted on SOC 2 certified cloud infrastructure within the United States. Infrastructure details available upon request under NDA.

5.2 Is the infrastructure monitored?

Yes. Continuous monitoring with automated threat detection, anomaly detection, and incident response capabilities operating 24/7.

5.3 What is the uptime commitment?

entropyFA targets 99.9% platform availability. Historical uptime data is available upon request.

6.1 What security certifications does the platform hold?

entropyFA is hosted on SOC 2 Type II certified infrastructure. Our own SOC 2 Type II certification is in progress. Platform-level compliance documentation is available through our Compliance Center.

6.2 Is the platform designed for SEC-registered investment advisors?

Yes. entropyFA is built to meet the compliance requirements of SEC-registered investment advisors and fiduciary institutions, including Books and Records requirements under the Investment Advisers Act.

6.3 Does the platform support regulatory examinations?

Yes. Full audit trails, decision logs, and reasoning chains are maintained for all AI agent actions. All data is exportable in standard formats for regulatory review.

7.1 Does the company maintain a Business Continuity Plan (BCP)?

Yes. entropyFA maintains a formal Business Continuity Plan that is reviewed and updated annually.

7.2 What is the disaster recovery strategy?

Data is backed up with geographic redundancy across multiple US data centers. Recovery procedures are tested periodically. Recovery time and recovery point objectives are available upon request.

8.1 Does the company maintain an Incident Response Plan?

Yes. entropyFA maintains a formal Incident Response Plan that is tested and updated annually.

8.2 What is the breach notification timeline?

72 hours from confirmation of a security incident involving client data. Notification includes a description of the incident, categories of data affected, measures taken, and remediation steps. See our Data Confidentiality Agreement, Section 6.

9.1 Does the platform use third-party subprocessors?

Yes. entropyFA uses a limited number of subprocessors for cloud infrastructure, AI model inference, and operational support. All subprocessors are US-based or process data exclusively within the United States, and are bound by equivalent confidentiality and data protection obligations.

9.2 Is a list of subprocessors available?

Yes. A current list of subprocessors is available upon request.

10.1 What is the data retention policy?

Client data is retained for the duration of the service relationship plus any period required by applicable law or regulation. Audit logs are retained for a minimum of seven (7) years.

10.2 What happens to data upon termination of service?

Upon written request, all client data is permanently deleted from active systems and backup infrastructure within ten (10) business days. Written certification of deletion is provided upon request. Data portability is supported at any time during or after the service relationship.

10.3 Can clients export their data?

Yes. Client data belongs to the client. If a client leaves, changes advisors, or simply wants a copy, we provide a full data export upon request. Your data is never held hostage.

11.1 How does the platform ensure AI outputs are accurate?

entropyFA uses a proprietary dual-engine architecture: a generative reasoning engine for context and communication, and a quantitative precision engine for deterministic calculations. All financial calculations use deterministic methods, not AI generation. AI outputs include reasoning chains and confidence levels for human review.

11.2 Do AI agents take autonomous actions?

entropyFA operates in non-discretionary mode by default. AI agents analyze, recommend, and prepare, but all significant actions require explicit human approval before execution. No trades, transfers, or client communications are executed without advisor or client approval.

11.3 Are AI agent actions logged?

Yes. Every AI agent action, recommendation, reasoning chain, and data access is logged with full context. Logs are available for compliance review and regulatory examination.