Privacy Policy

Broker Dealer Management Platform (“BDMP,” “we,” “our,” or “us”) is a multi-tenant compliance operating system for FINRA-registered broker-dealer firms. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our platform and services.

This policy applies to all users of the BDMP platform, including broker-dealer firm administrators, compliance officers, registered representatives, and other authorized personnel.

2.1 Information You Provide

• Account registration data (name, email, phone number, role, broker-dealer affiliation)
• Authentication credentials (passwords, MFA enrollment data)
• Compliance records submitted through the platform (supervisory reviews, surveillance findings, communications)
• Documents uploaded for regulatory filings or record-keeping
• Support communications and feedback

2.2 Information Collected Automatically

• IP address and device identifiers
• Browser type and operating system
• Usage data (pages visited, features used, actions taken within the platform)
• Session duration and authentication events
• Error logs and performance metrics (with PII scrubbed)

2.3 Information from Third Parties

• FINRA BrokerCheck and CRD data (public registration information for registered representatives)
• OFAC sanctions screening results
• Payment processing data from Stripe (transaction metadata only)

We use personal information to:

• Provide, maintain, and improve the BDMP platform
• Authenticate users and enforce role-based access controls
• Facilitate regulatory compliance activities (surveillance, supervisory review, audit trails)
• Generate compliance health scores and analytics
• Process AI-assisted compliance analysis through AWS Bedrock
• Send platform notifications and regulatory alerts
• Detect and prevent fraud, unauthorized access, and security incidents
• Comply with legal obligations under FINRA, SEC, and other regulatory requirements
• Maintain immutable audit logs as required by SEC Rule 17a-4

We retain personal information in accordance with applicable regulatory requirements:

• Audit logs: 6 years minimum (SEC Rule 17a-4), stored in WORM (Write-Once, Read-Many) mode with S3 Object Lock
• Communications records: 3 years minimum (FINRA Rule 3110)
• Account data: Duration of the business relationship plus 6 years
• Session and authentication logs: 2 years

After the applicable retention period, data is securely deleted using industry-standard methods.

We do not sell personal information. We may share information with:

• Your broker-dealer firm: Firm administrators and compliance officers can access data for users within their tenant
• Regulatory bodies: FINRA, SEC, and state regulators when required by law or regulatory examination
• Service providers: AWS (infrastructure), Stripe (payments), Postmark (email), Pusher (real-time notifications), Sentry (error monitoring with PII scrubbing)
• Law enforcement: When required by valid legal process

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

We protect your information through:

• AES-256-GCM encryption for sensitive data at rest
• TLS 1.2+ encryption for all data in transit
• PostgreSQL Row-Level Security for tenant data isolation
• Multi-factor authentication for privileged roles
• Immutable audit chain with dual SHA-256 hash verification
• Regular security assessments and penetration testing
• SOC 2 Type I audit compliance (in progress)

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate data (subject to regulatory record-keeping requirements)
• Request deletion of your data (subject to mandatory retention periods under SEC and FINRA rules)
• Opt out of non-essential data processing
• Receive a copy of your data in a portable format (where technically feasible)

To exercise these rights, contact your firm's compliance officer or email us at the address below. Note that certain data cannot be modified or deleted due to regulatory record-keeping obligations.

California residents have the right to know what personal information we collect, the right to delete personal information (subject to regulatory exemptions), and the right to opt out of the sale of personal information. We do not sell personal information.

To submit a verifiable consumer request, contact us using the information below.

We use cookies and similar technologies for:

• Essential cookies: Authentication session management, CSRF protection
• Functional cookies: User preferences and interface settings
• Analytics cookies: Platform usage patterns (aggregated, no PII)

You can manage cookie preferences through the cookie consent banner displayed on your first visit.

BDMP is designed for use by professionals in the financial services industry. We do not knowingly collect personal information from individuals under 18.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify users of material changes through the platform and update the effective date above.

For privacy-related inquiries:

• Email: admin@brokerdealermanagementplatform.com
• Mail: Broker Dealer Management Platform, Attn: Privacy, [Address TBD]