Prism Create workspace

Security is part of the foundation, not a bolt-on

Client financial data is among the most sensitive there is. Prism is built so each person sees only what they should, every meaningful action is accountable, and secrets never touch the browser.

Last updated 22 June 2026

Tenant isolation at the data layer

Prism is multi-tenant by design and isolated where it counts - in the database. Every table is governed by row-level security along the firm → advisor → client hierarchy. A client can only ever read their own household; an advisor sees only their book; a firm admin sees only their firm. These rules are enforced by the database on every query, not merely hidden in the interface - so a bug in the UI cannot expose another tenant's data.

Authentication

Managed auth with a PKCE flow, optional time-based one-time-password (TOTP) multi-factor authentication with assurance-level enforcement, and optional Google sign-in.

Encryption

All traffic is served over TLS. Data at rest is encrypted by our managed database provider.

Least privilege

Roles (client, advisor, firm admin) scope access at the data layer. New users get no access until they are provisioned into a firm.

Secrets stay server-side

Payment and aggregation secrets live only in serverless functions. The browser only ever holds a public key and the signed-in user's own session.

Hardened application surface

Accountability & records

Security and compliance reinforce each other. The same model that scopes access also powers an append-only audit trail of meaningful actions (with actor, timestamp, and a readable summary), immutable profile versioning for point-in-time review, and a daily write-once (WORM-style) archive. Together these are designed around the record-keeping principles of SEC Rules 17a-3 and 17a-4.

Infrastructure & subprocessors

Prism runs on established providers, each engaged under data-protection terms. The full list - with purpose and location - is in our Data Processing Agreement: Supabase (database, auth, storage, functions), Cloudflare (hosting, CDN, edge security), Stripe (payments), Plaid (account linking, on user consent), and Google (optional sign-in).

An honest view of our posture

We would rather earn trust by being transparent than overstate where we are. Here is what is in place today and what is on the near-term roadmap before and as we onboard live client data.

ControlStatus
Row-level tenant isolation (firm → advisor → client)In place
Optional MFA (TOTP) with assurance-level enforcementIn place
TLS in transit; encryption at restIn place
Enforced CSP + HSTS + hardened headersIn place
Append-only audit trail + immutable versioningIn place
Daily append-only (write-once) archive to private storageIn place
Automated tenant-isolation (RLS) test suiteIn place
Production database tier with point-in-time backupsProvisioned before live-client onboarding
Object-lock immutable (retention-locked) archive tier, full 17a-4-grade WORMIn progress
Documented information-security policies + control mapping (Trust Services Criteria)Drafted, in review
SOC 2 (Security) examinationReadiness underway

SOC 2 readiness and documentation

We are actively pursuing a SOC 2 examination, scoped to the Security Trust Services Criteria first, with a Type II report as the goal. Our information-security policies, sub-processor register, and a mapping of our controls to the Trust Services Criteria are documented and being formalized ahead of engaging an independent auditor. This reflects substantial work already done; it is not a certification we hold today.

Detailed security documentation - our policy set, sub-processor register, and control mapping - is available to prospective firms and partners under NDA on request. Email security@prismaw.com to request access.

Forward-looking statements. Items not marked "In place" reflect our current development plans and security goals. These items are for informational purposes only, are subject to change without notice, and do not constitute a binding commitment or warranty to deliver specific features or certifications on any particular timeline.

Vulnerability disclosure & safe harbor. If you believe you have found a security issue, we want to hear from you. Email security@prismaw.com with details and steps to reproduce. We will acknowledge your report and investigate promptly. We consider activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act (CFAA) and similar state laws. To maintain this safe harbor, you must: (1) make a good faith effort to avoid privacy violations, data destruction, and interruption or degradation of our service; (2) interact only with accounts you own or have explicit permission to use; and (3) keep the vulnerability details confidential until we have resolved the issue. We will not initiate legal action against researchers who strictly adhere to these guidelines.

Prism is operated by LeMay Ventures LLC. This security overview describes our current technical and organizational measures. For data-protection questions, see our Privacy Policy and DPA. Use of the service is subject to our Terms of Service, including all disclaimers and limitations of liability contained therein.