Protocol Wealth publishes its subprocessor list at protocolwealthllc.com/subprocessors. The version below adds one sentence of context per vendor explaining what it does in PW's production stack. The intent is to make the supply chain visible enough that a qualified reviewer or prospective partner firm can audit the architecture without a phone call.
Every vendor relationship carries contractual restrictions on data use, breach-notification clauses (72-hour closure where applicable), and US-region processing commitments. Authenticated advisory surfaces (pwos.app, pwportal.app, pw-api) do not transit Cloudflare; the public-edge layer handles marketing properties only.
AI inference
| Vendor |
Role in PW's stack |
Attestations on file |
| Anthropic, PBC |
All LLM inference. Single-vendor transparency posture is deliberate: a regulator evaluates one upstream AI relationship, not a chain of undisclosed sub-providers. Zero Data Retention contracted at the workspace level; effective April 21, 2026. |
SOC 2 Type II · ISO 27001 |
Compute, storage, security
| Vendor |
Role in PW's stack |
Attestations on file |
| Google Cloud Platform |
Compute (Cloud Run), database (Cloud SQL Postgres), cache (Memorystore Redis), object storage (GCS), secrets (Secret Manager), audit logs (Cloud Audit Logs). Single-cloud posture is deliberate for ISO/SOC alignment and data sovereignty. |
SOC 1/2/3 · ISO 27001 / 27017 / 27018 / 27701 · PCI DSS · FedRAMP High |
| Cloudflare |
DNS, CDN, and WAF for public marketing surfaces only. Authenticated advisory surfaces route direct-to-GCP without edge interference. |
SOC 2 Type II · ISO 27001 |
Identity verification + AML
| Vendor |
Role in PW's stack |
Attestations on file |
| Veriff OÜ |
Natural-person identity verification (KYC). Document + biometric checks; PEP/sanctions screening for natural persons. Webhook callbacks routed through the canonical webhook-receiver primitive. |
SOC 2 Type II · ISO 27001 |
| Scorechain S.A.S. (via QuickNode) |
Two-layer AML for crypto-touching surfaces: free OFAC + OFSI + MOFA + NBCTF sanctions API, plus paid KYT entity attribution + risk scoring. Selected after Chainalysis Free Sanctions API winding down. |
Vendor-risk review active |
| QuickNode, Inc. |
Multi-chain RPC infrastructure + the substrate that surfaces Scorechain to PW. |
SOC 2 Type II |
| Hadrius, Inc. |
AI-aware compliance monitoring and supervision overlay. |
Vendor-risk review active |
Custody (separately registered fiduciaries)
| Vendor |
Role in PW's stack |
Attestations on file |
| Altruist Financial LLC |
Primary advisory custodian for TradFi assets + billing back-office. SEC/FINRA-registered broker-dealer. |
SEC/FINRA oversight · SOC 2 Type II |
| Interactive Brokers LLC |
Brokerage and custody for institutional accounts. |
SEC/FINRA registered broker-dealer |
| Anchorage Digital Bank, NA |
Qualified digital-asset custody. National trust bank charter; OCC oversight. |
OCC oversight · SOC 2 Type II |
| BitGo Trust Company |
Qualified digital-asset custody. South Dakota banking charter. |
SD Banking oversight · SOC 2 Type II |
| Fordefi |
MPC wallet infrastructure for firm-treasury operations (not client custody). Coincover backup encryption pairs with this. |
SOC 2 Type II |
Onboarding + signing
| Vendor |
Role in PW's stack |
Attestations on file |
| Anvil |
E-signature with ESIGN/UETA attestation; PDF/A-2b archival output; signed-document state machine. Webhook callbacks routed through the canonical webhook-receiver primitive. |
Vendor DD on file |
Data aggregation
| Vendor |
Role in PW's stack |
Attestations on file |
| Quiltt, Inc. (with MX, FinGoal) |
Financial-account aggregation; primary path for client-held accounts. Subagent-handled through Quiltt's webhook surface. |
SOC 2 Type II |
CRM + transactional
| Vendor |
Role in PW's stack |
Attestations on file |
| Wealthbox |
Client relationship management. Custom fields support PW's tax-status, dependents, control-person, and FINRA-affiliation capture. |
SOC 2 Type II |
| Postmark |
Transactional email delivery. |
SOC 2 Type II |
How to read this list
- Single-vendor transparency. PW intentionally uses one AI inference vendor (Anthropic) rather than a chain. A regulator or prospective partner reviews one upstream AI relationship, not three or four.
- Custody is separately fiduciary. Altruist, IBKR, Anchorage, BitGo all carry their own SEC/FINRA/OCC/state-banking oversight. PW does not custody client assets directly.
- Edge layer is marketing-only. Cloudflare fronts the public site; advisory surfaces do not route through Cloudflare.
- Webhook discipline is uniform. Every vendor callback flows through the same six stages (verify, dedup, parse, process, audit, dead-letter). One pattern, one audit trail.
- AML two-layer. Scorechain Free Sanctions API for natural-person-level OFAC screening; Scorechain Risk Assessment API via QuickNode for KYT entity attribution. Veriff handles natural-person OFAC/PEP.
What's NOT in this list
For full disclosure, PW does not currently use:
- Any closed-source compliance-monitoring tool that requires PW to ship client communications to it for AI processing. (We use Hadrius for monitoring; the inference path runs through PW's own audit substrate first.)
- Any portfolio-accounting vendor that takes custody of client data outside the named custodian relationships above.
- Any AI vendor other than Anthropic. Single-vendor posture is deliberate.
If a future vendor is added, the subprocessor list is updated and PW will provide material-change notification to clients per the amended Reg S-P timeline.
Protocol Wealth, LLC · SEC-Registered Investment Adviser · CRD #335298
This document is an internal draft. The canonical subprocessor list is at protocolwealthllc.com/subprocessors. Engineering substrate transparency · aggregate substrate material · not investment advice · not advisory performance.