Vendor Due Diligence
How we vet our vendors.
Protocol Wealth applies a documented due-diligence and ongoing-oversight process to every third party that touches client information, consistent with SEC Regulation S-P. This page describes the standard we run and lets you download the checklist we use.
We rely on third parties to do our work — custodians, an order-execution and market-data stack, a portal and database, email and notification services, and the tools we use to manage and report on client assets. Some of those vendors see client information; many do not. SEC Regulation S-P requires an investment adviser to take reasonable measures to oversee the service providers that handle customer information, including through due diligence before onboarding and monitoring over the life of the relationship.
We publish this page because a client, a prospect, or an examiner should be able to see how we make those decisions — not just that we make them.
The standard is reasonable measures, not a signed clause in every contract. The sections below describe the process we run for every vendor, the questions on the checklist, the documents we request when a vendor touches client information, and where to find the current list of third parties that process client data. The process is designed to produce a defensible, documented record for each vendor — it is not a guarantee about any vendor's conduct.
What this page is. A description of the standing due-diligence and ongoing-oversight process we apply to third-party vendors, and the checklist we use to run it. We publish it as a transparency and trust signal for clients, prospects, and regulators.
What this page is not. It is not a security audit, certification, or endorsement of any particular vendor, and it does not describe the controls of any specific third party. No due-diligence process can eliminate every risk; this page describes the process we run, not an outcome we guarantee. It is not legal, tax, or investment advice, and it is not a solicitation. Our authoritative regulatory disclosures are in our Form ADV and in the footer of every page.
Section 1
Our standard
We assess every vendor against the same five points. How deep the review goes depends on the first one: a vendor that sees only public or firm-operational data gets a lighter review; a vendor that touches client nonpublic personal information gets the full process.
We determine whether the vendor touches client nonpublic personal information (NPI) — names, Social Security or tax identification numbers, account numbers, balances, transactions, and identity documents. A vendor that handles only public data or our own firm-operational data is reviewed lightly. A vendor that touches NPI goes through full diligence. When the answer is unclear, we treat the vendor as touching NPI until shown otherwise.
We require evidence of an independently assessed security program — a current SOC 2 Type II report (an independent audit of a vendor's security controls over a period of time) or an ISO/IEC 27001 certification (an information-security management standard). We obtain the vendor's own report, whether published or shared under non-disclosure through a trust center. Unverified third-party claims do not count, and the absence of a verifiable report is treated as a red flag.
We locate the vendor's commitment to notify us of a security incident and record it in one of three categories: (A) a published commitment we can cite directly; (B) a published security program or SOC 2 with no stated timeframe, where we anchor on that program and write a one-line reasonableness determination plus a compensating control on our side; or (C) notification terms that live only in our signed contract, where we rely on the executed clause.
We confirm where client data is stored — that it is US-resident or configurable to the United States — and that a data-processing agreement (DPA) is in place, whether public, available on request, or part of the contract. For vendors that touch NPI, we look for a DPA with an explicit incident-notification clause and confirmation of encryption in transit and at rest.
For every vendor we write a short, defensible record: what the vendor does, what data they see, their security evidence, their notification commitment, and the compensating controls we apply on our side — data minimization, US residency, monitoring, zero-data-retention terms, or restricting a vendor to public data only. That record is what satisfies our Regulation S-P service-provider oversight obligation, and we revisit it over the life of the relationship.
Who has to notify whom — and when
A vendor's job is to tell us quickly. For vendors that handle client information, our agreements target notice without undue delay — no later than 72 hours after the vendor becomes aware of a security breach. Regulation S-P places the obligation on the firm, not on the vendor directly: it requires us to build that service-provider notification window into our oversight, so we set the expectation by agreement.
The obligation to notify affected individuals stays with Protocol Wealth. Regulation S-P requires the firm to notify affected individuals no later than 30 days after becoming aware of the incident, regardless of which vendor was involved. A vendor's notice exists to start our clock — it does not replace our duty. We do not outsource the obligation, and a vendor's contract terms do not shorten or extend the 30-day clock that runs to us.
Section 2
The checklist
This is the checklist we run before any data flows to a new vendor. It starts with one triage question that sets the depth of the review, then works through five high-level questions and — for any vendor that touches client information — a list of documents we request.
Step 0 — the question that sets the depth
Does this vendor touch client nonpublic personal information (NPI)?
- No (public data only, or our own firm-operational data) — light-touch review: confirm the first three questions and reasonable terms, record, done.
- Yes — full diligence: all five questions plus the document requests below.
- Not sure — treat as yes until proven otherwise.
Step 1 — five high-level questions
- What does the vendor do for us, and what data do they see? One sentence plus the categories of data.
- Do they publish a SOC 2 Type II (or ISO/IEC 27001)? Where — public, or under non-disclosure through a trust center? A verifiable report from the vendor is what counts.
- Do they commit to notifying us of a security breach? We find the commitment and classify it as published (A), program- or SOC-2-anchored (B), or contractual (C).
- Where is the data stored? US-resident, configurable to the United States, or potentially processed in other countries?
- Is there a data-processing agreement (DPA)? Public, on request, or in the contract?
Step 2 — documents we request (vendors that touch client NPI)
- A current SOC 2 Type II report — or an ISO/IEC 27001 certificate.
- A DPA / data-processing addendum with an explicit breach- or incident-notification clause (the target we look for is notice without undue delay, no later than 72 hours after discovery, to Protocol Wealth).
- US data-residency confirmation in writing.
- A subprocessor list plus a commitment to notify us when it changes.
- Confirmation of encryption in transit and at rest (for example, AES-256 / TLS 1.2+) and an access-control attestation.
- Where available: a penetration-test summary, cyber-insurance coverage, and a business-continuity / disaster-recovery plan.
Download the full checklist
The complete checklist as a PDF — Step 0 through the decision and one-page summary. Version 1.0.
Section 3
Ongoing oversight
Diligence does not end at onboarding. We maintain a Regulation S-P service-provider oversight register that records, for each vendor, its notification commitment, the reasonableness determination, and the compensating controls we apply. We revisit that record on a periodic basis and when something material changes — a new subprocessor, a lapsed report, a change in data residency, or an incident.
A vendor can be onboarded with conditions — for example, obtaining a SOC 2 report under non-disclosure within a set period, or pinning data residency to the United States — with an owner and a due date recorded against each condition. Where a vendor is missing both a security report and any breach-notification commitment, or sits outside the United States with no data-processing agreement, we keep client information out until the gaps close.
Section 4
Our vendors
When a vendor processes client nonpublic personal information, it belongs on our public subprocessor list. We update that list as our subprocessors change and publish it separately so it can be reviewed on its own.
Change log
Versions
Initial publication. The five-point vendor standard, the Regulation S-P notification-ownership distinction, the on-page checklist (Step 0 triage, five questions, document requests), ongoing-oversight summary, a link to the current subprocessor list, and the downloadable checklist PDF.
Last updated: June 5, 2026. Protocol Wealth, LLC is an SEC-registered investment adviser (CRD #335298). See our Form ADV for authoritative regulatory disclosures.
Registration with the SEC does not imply a particular level of skill or training. Advisory services are provided only under a signed advisory agreement.
About this page. This page describes the due-diligence and ongoing-oversight process Protocol Wealth applies to third-party service providers under SEC Regulation S-P. It is not a security audit, certification, or endorsement of any specific vendor, and it does not describe the controls of any third party. No due-diligence process can eliminate every risk. It is not legal, tax, or investment advice and is not a solicitation.
All investments involve risk, including the potential loss of principal. Digital assets are highly speculative and volatile. Past performance does not guarantee future results.