How we protect client data
The controls, practices and boundaries that govern access to your financial information on 8a Financial.
This page is maintained by 8a Financial to answer common security, privacy, and operational questions about the platform. It is not an independent certification or third-party audit report.
Access & authentication
- Role-based access control across client, relationship team and administrator roles, with least-privilege defaults.
- Email + password and Google sign-in. Optional leaked-password protection against the Have I Been Pwned database.
- Administrative actions and role changes are recorded in an internal audit log.
- Sessions are scoped per device; sign-out invalidates the session.
Data protection
- All traffic between your browser and our platform is encrypted in transit (TLS).
- Client data is stored in a managed Postgres database with encryption at rest provided by the hosting platform.
- Row-level security policies restrict every table so a client can only read or write their own records.
- Document uploads are stored in a private vault and served via short-lived signed URLs β never public links.
Platform & hosting
- Hosted on Lovable Cloud (Supabase) for the database, authentication, storage and serverless functions.
- Application is delivered via a global edge network with HTTPS enforced.
- Backups and point-in-time recovery are handled by the underlying managed database provider.
Data collection & use
- We collect only the data needed to provide organisation, reporting and coordination services described in your engagement.
- Financial details you upload are used to produce your reports and are visible only to you and your assigned relationship team.
- We do not sell client data, and we do not use client financial data to train third-party AI models.
Subprocessors & integrations
- Supabase (database, auth, storage, functions) β hosting and data infrastructure.
- Lovable AI Gateway β used for internal assistance features only, never for sharing identifiable client data without consent.
- Email delivery and analytics providers may be added over time; material changes are reflected on this page.
Retention & deletion
- Active client records are retained for the duration of the engagement plus a reasonable period required by regulation.
- On written request, personal documents can be removed from the document vault, subject to legal and accounting retention obligations.
- Audit logs are retained for security and compliance review.
Privacy requests & contact
- To request access to, correction of, or deletion of your data, contact your relationship team or write to the address below.
- We aim to acknowledge privacy requests within 5 business days.
Vulnerability reporting
- If you believe you have discovered a security issue, please email us before publicly disclosing it.
- Do not test against other users' accounts or data.
Shared responsibility
8a Financial secures the application, infrastructure controls listed above, and your relationship team's access. You are responsible for protecting your sign-in credentials, keeping your devices secure, and choosing who on your side may access the portal.
Security contact
For security or privacy enquiries: privacy@8afinancial.com. Issuing entity: 8a Tech & Media Consulting DMCC, DMCC Free Zone, Dubai, UAE.
This page describes current platform practices and is not a certification or independent audit. For regulatory scope, disclosures and the limits of our services, see our Compliance & Disclosures
