Trust & Security

1. Privacy-first architecture

Privacy is the architecture, not a setting. The data you share with A2B2 — questions, uploaded documents, portfolio positions — is never visible to other users, advertisers, financial institutions, or A2B2 staff without your explicit consent.

Multi-model AI synthesis runs on the data you have authorised, only when you authorise it. There is no background mining of user data for advertising, lead generation, or training of public models.

2. Encryption

All traffic to and from A2B2 is encrypted with TLS 1.2 or higher. Data at rest in the platform's primary databases and object storage is encrypted using AES-256.

Financial documents uploaded to the platform live in private object storage with bucket-level encryption keys and short-lived signed URLs for access — they are never publicly addressable.

3. Access controls

Internal access to user data follows least-privilege principles. Staff access is gated by role, time-bound, and fully audit-logged. No standing access to production user data is granted.

Administrative actions on the platform are recorded in an immutable audit log and reviewed quarterly.

4. Regulatory and compliance

A2B2 operates under the Publisher's Exclusion of the US Investment Advisers Act of 1940 and under the Broadcaster/Journalist exemption (Schedule 5) of the Hong Kong Securities and Futures Ordinance. A2B2 is not a registered investment advisor.

Where applicable, A2B2 honours rights granted by GDPR (EU), CCPA (California), and PDPO (Hong Kong) including access, deletion, and correction requests.

5. SOC 2 — in progress

SOC 2 Type II audit is underway. The current controls in scope cover privacy, security, availability, and confidentiality. The Type II report and bridge letter will be available to enterprise customers under NDA when the audit completes.

Until then, the controls described on this page are the operational commitment.

6. Vulnerability disclosure

If you believe you have found a security vulnerability in A2B2, please report it privately by emailing security@a2b2.ai. A2B2 commits to acknowledging reports within two business days and to communicating remediation status throughout investigation.

A2B2 does not currently operate a paid bug bounty programme; researchers acting in good faith will be credited (with consent) and will not be subject to legal action for testing within the scope of this disclosure policy.

7. Contact

For security and trust questions, email security@a2b2.ai.