Security

Your family's data is encrypted before it leaves your device.

maivis encrypts your files on your device before they leave. Keys are wrapped in Cloud KMS hardware security modules in GCP's private cloud infrastructure. When AI processes your data, it uses Google Cloud's global AI infrastructure with contractual zero data retention. Your data is never stored or used to train models.

Encrypted Vault

Files are encrypted with AES-256-GCM on your device before upload. Keys are hardware-wrapped in Cloud KMS (Google Cloud KMS, FIPS 140-2). They are never stored in plaintext. Every access is recorded in a Merkle-anchored audit trail using cryptographic hash chaining on Cloud Audit Logs.

Data Residency

Your financial data is stored on Google Cloud private infrastructure. All family data resides in Google Cloud regardless of location. AI analysis runs on Google Cloud's global infrastructure with contractual Zero Data Retention. Google is forbidden from storing or training on your data.

Authentication

FIDO2 passkey-first authentication via WebAuthn. No passwords. Biometrics or device PIN. Authenticator app fallback.

Compliance Status

AES-256-GCM client-side encryption✅

Cloud KMS key wrapping (Google Cloud KMS, FIPS 140-2)✅

Merkle-anchored audit trail (cryptographic hash chaining, Cloud Audit Logs)✅

DIFC Licensed CL5222✅

FIDO2 / WebAuthn passkeys✅

TLS 1.3 in transit✅

GDPR aligned (self-assessed, third-party audit on 2026 roadmap)✅

DIFC Data Protection Law 2020✅

ISO 27001 certification🗓 2026 roadmap

Independent penetration test🗓 Scheduled Q3 2026

How AI Processes Your Data

maivis uses AI to generate wealth observations. Here is exactly what happens to your data.

1. You authenticate

Passkey or authenticator app verifies your identity before any data is accessed.

2. Privacy Gateway strips your identity

Names, emails, phone numbers, account numbers, passport numbers, and government IDs are removed before any AI call. The AI never knows who you are.

3. Financial data is sent for analysis

Asset values, portfolio holdings, spending amounts, and jurisdictions are sent to AI. This is what powers portfolio analysis, tax context, hard asset valuation, and spending intelligence.

4. AI sees your wealth, not your identity

"$2.3M in real estate across UAE and India", but never "Rohit Gupta, Emirates NBD account 4521." Your finances are analyzed. Your identity is not.

5. Every call is audited

Every AI call is recorded in an audit trail: provider, data scope, token count, and PII redaction count. Required for DIFC compliance.

6. AI providers do not retain your data

Google Gemini Enterprise Agent Platform: Zero Data Retention (ZDR). Anthropic via Google Cloud Model Garden: covered by Google ZDR. No Anthropic API key is used. Google Search Grounding: receives only anonymized market queries. No family-specific data.

What we do NOT do

✗

We never sell your family's data to third parties

✗

We never persist unencrypted family financial data to disk or database

✗

We never share your family's data with advertisers

✗

We never access your family's documents without explicit request

✗

We never require your banking credentials. Only open banking tokens.

✗

We never send your name, email, account numbers, or government IDs to AI providers

✗

We never allow AI providers to store or train on your data

IN PLAIN ENGLISH

AES-256-GCM encryption

Your documents are encrypted before they leave your device. The encrypted file travels to our servers. Even if our servers were compromised, the files are unreadable without the key.

Cloud KMS key wrapping

Documents are encrypted on your device before upload. Our Cloud KMS key management means decryption requires your authenticated session. A planned upgrade (EPIC-21) will move to fully client-side key derivation where even the server cannot decrypt without your device.

Gemini Enterprise Agent Platform Zero Data Retention

When AI analyzes your portfolio or generates your morning brief, it runs on Google Cloud's global AI infrastructure. Under Zero Data Retention, Google is contractually forbidden from storing or training on your data. Your data in, analysis out. Nothing retained.

Merkle-anchored audit trail

Every document upload and access event is cryptographically recorded in an append-only audit log. That log cannot be altered retroactively. You can request your full audit log via our Data Subject Access Request (DSAR) process at legal@maiviswealth.com.

FIDO2 / WebAuthn passkeys

You log in with your face or device PIN. No password to steal. No SMS code to intercept. The credential lives on your device and cannot be phished. It never leaves your device during authentication.

ROW-LEVEL SECURITY

Every database query is filtered by your family ID at the database layer. Even a bug in our application code cannot return another family's data. The database itself enforces isolation.

Security Roadmap

Our current controls are strong. Here is what we are building toward.

Independent Penetration Test

A third-party security firm will conduct a full application and infrastructure penetration test against the production environment.

🗓 Q3 2026

ISO 27001 Certification

Formal information security management system certification. Audit scope will cover all data processing, access controls, and incident response procedures.

🗓 2026

PRF-Based Zero-Knowledge Vault (EPIC-21)

The WebAuthn PRF extension will derive your encryption key directly on your device using HKDF-SHA-256. Your decryption key will never transit the server. Even a full server compromise will not expose your documents.

🗓 Post-launch

Questions about security?

Email us at legal@maiviswealth.com

DUE DILIGENCE PACK

Verify our claims

Every security control is documented below. Third-party certification (ISO 27001, penetration test) is on our 2026 roadmap.

GDPR

Sub-processors List

Google Cloud · Stripe · Firebase · PostHog · Lean · Plaid

DPA

Data Processing Agreement

DIFC DPL 2020 compliant

POLICY

Updated May 2026