Security Overview

Built for sensitive client data.

IgniteHQ is designed for financial advisory firms that need a secure way to invite clients, collect planning information, and store sensitive documents such as tax returns, financial statements, and account information.

Security is part of how IgniteHQ is built, not an add-on. We use secure authentication, access controls, private document storage, encryption, audit logging, and vetted infrastructure providers to help protect advisor and client information.

How IgniteHQ protects client information

Secure access

IgniteHQ requires authenticated access before users can view advisor or client workspaces. Client and advisor accounts are protected with password-based login, Google login where enabled, and text-message verification based on account risk and trusted-device settings.

Two-step verification

IgniteHQ supports text-message verification for account protection. When a device is remembered, verification may not be required again for 30 days unless security conditions change, such as a new device, unusual login activity, password or verification changes, suspicious activity, or support access into a firm or client workspace.

Secure Vault

Documents uploaded to the Secure Vault are stored in private storage and are only available to authorized users connected to the appropriate firm, household, or client relationship. Vault access is controlled through database and storage permissions designed to prevent one firm, advisor, household, or client from accessing another party’s files.

Encryption

IgniteHQ uses encrypted connections to protect data in transit. Data stored in our database and storage providers is protected using encryption at rest provided by our infrastructure vendors.

Access controls

IgniteHQ is built around firm, advisor, household, and client-level permissions. Users should only see the information they are authorized to access. Platform support access is limited and intended for troubleshooting, security, and customer support.

Audit and activity logging

IgniteHQ keeps security-relevant records for account access, trusted devices, verification events, support access, and vault activity where applicable. These records help support account review, troubleshooting, and security monitoring.

Vendor and infrastructure security

IgniteHQ uses established infrastructure providers to operate the platform:

Supabase

Used for database, authentication, file storage, and access control.

Security: https://supabase.com/security

Privacy: https://supabase.com/privacy

Vercel

Used for application hosting and deployment.

Security: https://vercel.com/docs/security/compliance

Privacy: https://vercel.com/legal/privacy-policy

Resend

Used for transactional email, including client invite emails.

Security: https://resend.com/security

Privacy: https://resend.com/legal/privacy-policy

Twilio Verify

Used for text-message verification.

Trust Center: https://www.twilio.com/en-us/trust-center

Privacy: https://www.twilio.com/en-us/legal/privacy

Data privacy

IgniteHQ does not sell client personal information. Client information is used to provide the IgniteHQ platform, support authorized firm and client workflows, protect accounts, comply with legal obligations, and improve reliability and security.

SOC 2 status

IgniteHQ is not currently SOC 2 certified. IgniteHQ is built using infrastructure providers with mature security and compliance programs, and we are preparing our own security practices for future formal review as the platform grows.

Responsible disclosure

If you believe you have found a security issue in IgniteHQ, please contact us at joelmiller@ignitehq.app Please include enough detail for us to understand and reproduce the issue. We review security reports promptly and prioritize issues that could affect client or advisor information.

Contact

For security questions, vendor review, or compliance documentation, contact joelmiller@ignitehq.app