K
Kaldroa Advisory

Data Security & Privacy Statement

Version 1.2 — Last updated 16 June 2026 — Effective immediately

01

Scope

This statement applies to all data processed by Kaldroa Advisory in connection with its operational consulting services for single-family offices and ultra-high-net-worth principals. It covers:

  • Prospective client data collected via the Kaldroa.com website and diagnostic tools
  • Active engagement data held during the 90-Day Sprint and MOAR retainer
  • Operational platform data held within the Kaldroa Advisory OS
  • Communications generated by the Intelligence Corps agent layer

Kaldroa Advisory is an advisory-only firm. It does not hold investment assets, custody securities, or act as a fiduciary. This statement covers operational data only.

02

Data We Hold About You

Prospective Clients

  • Name, family office name, estimated AUM band, country
  • Email address (for outreach and booking confirmation only)
  • Health Check diagnostic score and band (anonymised — no portfolio data)
  • Booking confirmation data from Calendly (name, email, session time)

Active Clients

  • Discovery Interview responses (operational complexity, governance, AI usage)
  • Tech Stack Inventory (tools in use, sensitivity classification, risk flags)
  • Data Asset Classification Register (asset names, tiers, storage locations)
  • Third-Party Vendor Audit scores
  • Sprint progress data (phase, sprint day, task status, RAG rating)
  • MOAR report content (sprint health updates, milestone alerts)

We do not hold portfolio holdings, investment data, beneficial ownership registers, or custodian account credentials. All investment-side data remains under client control throughout and after the engagement.

03

Where Your Data Lives

Primary Storage: Notion

All structured client and prospect data is stored in Notion workspaces owned and administered by Kaldroa Advisory. Notion provides AES-256 encryption at rest and TLS 1.3 in transit. Data is hosted in Notion's US-East AWS infrastructure. European clients may request data residency provisions under a bespoke Data Processing Agreement.

Compute: Vercel

The platform is deployed on Vercel's edge and serverless compute infrastructure. Function invocations are stateless — no client data persists in compute memory between requests. API keys and secrets are stored in Vercel's encrypted environment variable store and are never exposed in client-side JavaScript bundles.

Email Delivery: Resend

Outbound emails (NDAs, sprint updates, MOAR reports) are delivered via Resend. Resend processes email addresses and subject lines only. Full email body content is transmitted over TLS. Resend's data retention policy purges delivery logs after 30 days.

What we do not use

  • No client data is stored in third-party CRM platforms
  • No client data is held in consumer cloud storage (Google Drive, Dropbox) without explicit written agreement
  • No client data is shared with marketing automation platforms
04

AI & Intelligence Layer — Data Sovereignty Boundary

Kaldroa Advisory operates an internal agent layer (Intelligence Corps) powered by the Anthropic API (Claude). The following defines precisely what data is and is not transmitted to Anthropic:

What is sent to Anthropic

  • ARIA (Operations Director): Aggregated operational metrics — client count, sprint phase labels, task completion ratios, MRR band. No individual names or email addresses.
  • QUILL (Report Writer): Client name, AUM tier (e.g. "£1.2B"), sprint phase, RAG status. No portfolio holdings, account numbers, or beneficial ownership data.
  • CAMPAIGN (Outbound): Family office name, estimated AUM band, country. No personal email addresses in the prompt; Resend handles delivery separately.
  • BRAND (LinkedIn): Industry research statistics and post structure. No client data whatsoever.

What is never sent to Anthropic

  • Portfolio holdings, valuations, custodian account details
  • Beneficial ownership structures
  • Succession plans or family constitution documents
  • Individual contact email addresses
  • Credential inventories or access control data

Zero-retention principle

All API calls to Anthropic are made under Anthropic's standard API terms, which do not use inputs for model training. Clients with heightened data sovereignty requirements may request that Kaldroa Advisory use a zero-retention API agreement with Anthropic as part of their engagement.

SENTINEL (Sprint Health Monitor) and OTTO (Onboarding) agents do not call the Anthropic API. They read from Notion and write to the internal Approval Queue only.

05

The Approval Queue — No Content Leaves Without Authorisation

Every item of outbound client communication generated by the Intelligence Corps — including NDAs, sprint updates, MOAR reports, and LinkedIn posts — is deposited to a staged Approval Queue before any delivery occurs. Stephen Mistretta reviews, edits, and explicitly approves each item before it leaves the platform.

This is a structural control, not a policy preference. The technical architecture enforces it: no agent sends directly to any recipient under any circumstances. The Approval Queue is authenticated and protected by server-side session controls accessible only to the Founder.

06

Access Controls & Authentication

  • The Kaldroa Advisory OS is protected by two-factor authentication: a server-side password (verified using constant-time comparison) followed by a time-based one-time passcode (TOTP) from an authenticator app. Passwords are never transmitted in URLs or stored in browser localStorage.
  • Sessions are issued as signed HMAC tokens (not bare identifiers), with an 8-hour absolute lifetime and an 8-hour sliding inactivity window. The inactivity cookie is itself cryptographically signed to prevent replay or forgery.
  • Authentication endpoints are rate-limited to throttle password and TOTP brute-force attempts.
  • The KaldroaBus demo dashboard uses a separate access code verified server-side, with session persistence via encrypted cookies.
  • All API routes are protected by server-side middleware enforcing session cookie validation or CRON_SECRET Bearer token authentication for automated jobs.
  • Cron jobs (SENTINEL weekly digest, agent triggers) authenticate via a secret token stored only in Vercel's encrypted environment variable store.
  • Webhook endpoints from Calendly and Resend are verified using HMAC-SHA256 signature validation. Requests without valid signatures are rejected with a 401 before any processing occurs.
07

Encryption

  • In transit: All traffic is encrypted via TLS 1.3. HSTS is enforced with a two-year max-age and preload, preventing HTTPS downgrade attacks.
  • At rest: Notion provides AES-256 encryption for all stored data. Vercel encrypts environment variables (API keys, secrets) at rest.
  • In compute: Function invocations are stateless. No client data persists in memory between requests.
  • API keys: All service credentials (Anthropic, Notion, Resend, LinkedIn) are stored exclusively as server-side environment variables. They are never included in client-side JavaScript bundles or source code.
08

HTTP Security Headers

The platform enforces the following HTTP security headers on all responses:

  • Strict-Transport-Security: 2-year max-age with preload
  • X-Frame-Options: DENY: prevents clickjacking
  • X-Content-Type-Options: nosniff: prevents MIME confusion attacks
  • Content-Security-Policy: a per-request nonce-based policy. Inline scripts are blocked unless they carry the request nonce (no unsafe-inline on script sources), neutralising injected-script (XSS) execution.
  • Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Resource-Policy: same-origin: process isolation against cross-origin attacks
  • X-Permitted-Cross-Domain-Policies: none: blocks legacy cross-domain data access
  • Referrer-Policy: strict-origin-when-cross-origin: limits URL leakage
  • Permissions-Policy: disables camera, microphone, geolocation, payment, USB, and ad-targeting (FLoC/Topics) APIs
09

Your Data Rights (GDPR)

Kaldroa Advisory processes data under the UK GDPR and, where applicable, EU GDPR. The lawful basis for processing is legitimate interests (prospect outreach) and contract performance (active engagements).

As a data subject you have the right to:

  • Access: Request a copy of all data held about you
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data (subject to legal retention obligations)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request restriction of processing pending a dispute

All requests are processed within 30 days. Contact: info@kaldroa.com

Kaldroa Advisory has a Data Sovereignty Policy that guarantees client ownership of all data throughout and after any engagement. Clients retain the right to extract, transfer, or delete their data at any point. A copy of this policy is provided at engagement commencement.

10

Third-Party Processors

ProcessorPurposeData shared
AnthropicAI report generationAggregated operational metrics only — no PII
NotionStructured data storageClient & prospect records
VercelCompute & deploymentTransient compute only — no persistent storage
ResendEmail deliveryRecipient email, subject line
CalendlyBooking managementName, email, session time
Make.comAutomationClient name, email (onboarding only)

Data Processing Agreements are in place or in progress with all processors handling personal data.

11

Incident Response

In the event of a suspected data breach affecting personal data, Kaldroa Advisory will:

  1. Identify and contain the incident within 24 hours of discovery
  2. Assess the likely risk to affected data subjects within 48 hours
  3. Notify the ICO within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms (UK GDPR Article 33)
  4. Notify affected data subjects without undue delay where the risk is assessed as high (UK GDPR Article 34)
  5. Document the incident, its cause, and corrective actions in the Decision Log

To report a suspected security vulnerability or incident, contact: info@kaldroa.com

12

Questions & Contact

For any questions about this statement, data subject requests, or security concerns:

Stephen Mistretta
Founder, Kaldroa Advisory
info@kaldroa.com
kaldroa.com

This statement will be reviewed and updated at least annually, or following any material change to data processing activities or applicable regulation. The current version is always available at kaldroa.com/security.

Kaldroa Advisory — Version 1.216 June 2026FCA Reference: SJM01337