At L14, security and privacy are foundational to everything we build. Serving ultra-high-net-worth families and institutional partners demands the highest standards of data protection. Our platform is engineered with defense-in-depth security, rigorous access controls, and comprehensive compliance with international data protection regulations.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Sensitive fields receive additional application-layer encryption.
Fine-grained permissions enforced at the database level through Row Level Security policies, ensuring users only access data they are authorized to see.
Institutional data is fully isolated at the database level. Cross-tenant access is prevented by design through enforced foreign key constraints and RLS policies.
Every data access and modification is recorded in a tamper-proof audit log. Audit records cannot be modified or deleted, even by administrators.
Support for multiple authentication methods including passwordless login, email with MFA, institutional SSO (SAML 2.0/OIDC), and OAuth providers.
Hosted on enterprise-grade cloud infrastructure with automatic scaling, DDoS protection, and geographic redundancy across edge locations.
We are actively pursuing SOC 2 Type II certification covering security, availability, confidentiality, processing integrity, and privacy. Gap assessment has been completed with remediation underway.
Full compliance with the General Data Protection Regulation including Data Subject Access Requests (DSAR), right to deletion, data portability, retention policies, and consent management.
Aligned with the revised Swiss Federal Act on Data Protection (nDSG/FADP) effective September 2023, including data processing transparency and cross-border transfer safeguards.
Platform architecture and data handling practices are aligned with FINMA circular requirements for outsourcing and operational risk management in financial services.
Configurable retention policies per data category with automatic lifecycle management. Active member data is retained for the duration of membership plus 5 years. Financial records are retained for 10 years per regulatory requirements.
Members and institution contacts can request a complete export of their personal data. DSAR requests are processed within the GDPR-mandated 30-day window through an automated collection and delivery pipeline.
Complete data deletion pipeline with legal hold capabilities. Deletion requests cascade through all related records while preserving legally required audit trails. Hard deletion is performed after the retention period expires.
Granular consent tracking at the individual level with full audit trail. Consent preferences are enforced across all data processing operations and can be withdrawn at any time.
If you have questions about our security practices or want to report a vulnerability, please contact our security team.
security@l14.com