SEC Regulation S-P Vendor Due Diligence
Last Updated: May 28, 2026
This page provides the information investment advisers and broker-dealers commonly request from Snap Launch LLC (d/b/a Simple Advisor Tools), operator of the Rollover Analysis Tool, when performing vendor due diligence under SEC Regulation S-P (17 CFR Part 248). It is organized to mirror a typical due-diligence questionnaire so you can reference or attach it directly in your compliance records.
1. Incident Notification Procedures
We maintain a formal Incident Response Policy covering detection, triage, containment, investigation, recovery, and customer notification. Security events are detected through active alerting — real-time application error monitoring, an authentication-pipeline health probe, and a daily automated review of audit logs that alerts on failed-login spikes, bulk data-access patterns, and access from unusual locations — supplemented by infrastructure logs and customer reports.
Notification timeframe: If we become aware that a breach in security has occurred involving client/customer information maintained on your behalf, we will notify you as soon as possible and no later than 72 hours after becoming aware.
Notification is sent to the primary contact on your account and includes, to the extent known: the nature of the incident, categories of information involved, approximate number of affected client records, remediation steps taken, and a point of contact (help@rolloveranalysistool.com). Our written commitment is reproduced in Section 5 below.
2. Information Security Controls
We implement controls aligned with the SOC 2 Trust Services Criteria:
- Encryption: AES-256 application-layer encryption of sensitive client fields; TLS 1.2+ in transit; bcrypt password hashing.
- Access control: MFA available on all accounts; deny-by-default API authentication; database row-level security; role-based team permissions.
- Monitoring: Comprehensive audit logging; a daily automated anomaly review with email alerting; real-time error monitoring with sensitive fields and IP addresses stripped before transmission.
- Infrastructure: Hosted on Vercel (SOC 2) with Supabase (SOC 2 Type II) and Stripe (PCI DSS Level 1); Content Security Policy, HSTS, rate limiting, and automated dependency and secret scanning.
- Data minimization: Client PII is limited to name, employer, and account value — no Social Security numbers, dates of birth, or account numbers.
Independent assessments: Our SOC 2 Type 1 In Progress examination is currently in progress. We do not yet have a completed SOC report or penetration test to share; an independent penetration test is planned ahead of our Type 2 audit window. We can provide our subprocessors' SOC reports (Supabase, Vercel, Stripe) on request.
3. Business Continuity / Disaster Recovery
Yes — we maintain a documented Business Continuity and Disaster Recovery Plan.
Recovery Time Objective (RTO): 24 hours
Recovery Point Objective (RPO): 24 hours
The Service runs on Vercel with Supabase for database and authentication; application code and configuration are version-controlled and deployments are reproducible. Supabase performs automated daily database backups with a 7-day rolling retention window, and we run operator-initiated AES-256-encrypted backups before higher-risk operations. Documented recovery procedures cover hosting outage, database failure or corruption, region/project loss, encryption-key compromise, and key-personnel unavailability.
Records retention: Rollover analysis records and audit logs are retained in the primary database for 7 years in line with DOL recordkeeping expectations, after which they are eligible for automated deletion. Daily backups serve disaster recovery (7-day window) and are distinct from the 7-year retention of the primary records. Point-in-time recovery is not currently enabled — a documented, risk-accepted decision reviewed quarterly. Our first formal restore drill and DR tabletop are scheduled for Q4 2026.
4. Subservice Providers / Outsourcing
Yes, we use subservice providers; none sell or use client information for their own marketing. Those with access to client information:
| Provider | Function | Certification | Data Access |
|---|---|---|---|
| Supabase | Database, authentication | SOC 2 Type II | Client information (encrypted at app layer) |
| Stripe | Payment processing | PCI DSS Level 1 | Billing metadata only — no card data on our servers |
| Vercel | Application hosting | SOC 2 | Request metadata; no client information at rest |
| Sentry | Error monitoring | SOC 2 | Redacted error context — sensitive fields and IPs stripped |
| Resend | Transactional email | SOC 2 | Email addresses; no client analysis data |
Tier 1 providers are reviewed at least annually, including SOC report collection. Material subprocessor changes are published and communicated to active customers when they materially affect data protection. Full list with oversight detail: /subprocessors.
5. Regulatory / Contractual Commitments
Our commitments regarding the protection of client/customer information and incident notification are documented in our Privacy Policy, Terms of Service, and Data Processing Addendum (available for execution).
Written Breach Notification Commitment
Snap Launch LLC confirms its responsibility, willingness, and ability to furnish the Required Notice to its customers as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred involving client/customer information maintained on the customer's behalf, consistent with SEC Regulation S-P § 248.30(a)(4). This written commitment is published here as an electronic attestation and is also provided directly to customers on request.
Request Documentation
For the full policy documents (Incident Response Policy, Information Security Policy, Business Continuity & DR Plan, Subprocessor Register), a countersigned DPA, or subprocessor SOC reports, contact us and we will respond promptly.