Trust & Security
At Portfolio DOC, trust is built through transparency. This page documents how we handle your data, your decisions, and our regulatory obligations — without marketing language.
Regulatory status
Portfolio DOC is in the process of obtaining a BaFin investment advisory license. By the time of launch, Portfolio DOC will be regulated by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, BaFin) as a licensed investment advisor providing Anlageberatung under § 2 Abs. 2 Nr. 4 of the German Investment Firm Act (Wertpapierinstitutsgesetz, WpIG). Until the license is in place, Portfolio DOC does not provide regulated advisory services that would require a license under the German Banking Act (KWG) or the WpIG.
You stay in control
Portfolio DOC does not hold or custody assets. Your portfolio remains with your existing brokerage at all times. We do not execute trades on your behalf — every recommendation is presented for your explicit review and approval, and you decide whether and when to act.
Bank account integration
Portfolio DOC connects to your existing accounts through Wealth API, a regulated open-banking provider supporting nearly every bank in Germany. Wealth API enables read-only access to your portfolio data, so we can run your Portfolio Check and Treatment Plan without ever holding your credentials and without granting Portfolio DOC the ability to initiate transfers or trades on your behalf.
Data residency
All user data is stored in the European Union, on infrastructure operated by Hetzner and OVH in EU-based data centers. We do not transfer personal data outside the European Economic Area, and we do not use storage providers outside Europe.
Encryption & privacy
Data is encrypted in transit using industry-standard TLS and encrypted at rest. Data used for analytics is anonymized so that individual users cannot be identified. We never share your data with third parties without your explicit consent. Your rights under the EU General Data Protection Regulation (GDPR) — access, rectification, erasure, restriction, objection, and portability — are detailed in our Privacy Policy.
Access controls
Internal access to user data is restricted to authorized personnel on a least-privilege basis, scoped strictly to operational necessity. All access is logged and reviewed.
Backups
User data is backed up regularly and stored exclusively in EU regions. Retention periods are aligned with regulatory requirements and the original purpose of the data.
Independent audits
Portfolio DOC has not yet undergone third-party security audits such as SOC 2 or ISO 27001. As the platform scales, independent verification of our security and operational controls will be pursued and disclosed here.
What Portfolio DOC does NOT do
- Does not custody your assets
- Does not initiate trades or transfers on your behalf
- Does not store the login credentials for your bank or brokerage
- Does not share your personal data with third parties without explicit consent
- Does not currently provide investment advisory services requiring KWG or WpIG licensing — these will go live alongside the BaFin license
- Does not transfer personal data outside the European Economic Area
Questions
For data-protection inquiries, contact contact@portfoliodoc.de. For our full Privacy Policy, see /legal/privacy-policy. For the company imprint and corporate registration, see /legal/imprint.