Skip to content
RIAs · SEC Reg S-P

Use ChatGPT and Claude on Your Book — Without Breaching Reg S-P

PortEden replaces client names, account numbers, and NPI with placeholders before your prompt reaches OpenAI or Anthropic. Use any AI to draft client comms; the model never sees the underlying account.

See pricing

Free for solo RIAs · No credit card · Reg S-P-aligned audit log built in

Maps to
SEC Reg S-P
FINRA
GDPR
SOC 2
CCPA
The Risk

What Goes Wrong Without PortEden

You Paste a Client Email Into ChatGPT to Draft a Performance Reply

That thread holds the client's name, account number, and recent positions — every field Reg S-P treats as NPI. Sending it to OpenAI without a Reg S-P-aligned service-provider contract is the unauthorized access the new IRP rule was written to catch.

Your Junior Adviser Uses Claude to Summarize a Discovery Meeting

The transcript carries the household's full balance sheet — outside accounts, beneficiaries, and the spouse's SSN. Claude's context window is now the most concentrated copy of the client's NPI, retained per Anthropic's policy, not yours.

You Connect Outlook to an AI Assistant for Inbox Triage

Subject lines like "Smith — $4.2M rollover, statement attached" and the statement itself flow into the AI. One subprocessor change at the AI vendor and you owe 30-day breach notices to every affected household.

How PortEden Protects Your Book

Client NPI, Redacted Before It Reaches the Model.

PortEden inspects every field your AI is about to see. Account numbers, balances, beneficiaries, and free-text NPI are replaced with placeholders at the boundary — never sent to OpenAI or Anthropic.

Your data
PortEdenRedact
Your AI
Claude
ChatGPT
Copilot
Gemini
Grok
Safe
Sensitive
Redacted
Compliance Reality

What the 2024 Reg S-P Amendments Actually Require When Your RIA Uses ChatGPT or Claude

  • Adopt a written incident response program covering unauthorized access to or use of customer information — including disclosures to third-party AI vendors that don't meet your standard service-provider terms.
  • Notify affected individuals within 30 days of becoming aware their non-public personal information (NPI) was, or is reasonably likely to have been, accessed or used without authorization. Compliance dates: large RIAs 2025-12-03, smaller advisers 2026-06-03.
  • Oversee service providers that receive customer information — that includes any AI vendor whose terms allow logging, training, or human review of your prompts.
  • Document everything. SEC examiners under the 2024 Reg S-P amendments will ask for the IRP, the service-provider list, and the audit trail of every NPI flow. "We trust the AI vendor's privacy policy" is not the answer they're looking for.
SEC Reg S-P Final Rule (May 2024)
The Solution

Built For Financial Advisors

NPI-Aware Redaction in Gmail and Outlook

Replaces 50+ identifier types — client names, account numbers, SSNs, beneficiaries, and free-text NPI — with placeholders in under 200 ms before the prompt leaves your perimeter. The AI receives only the redacted version; the underlying account never reaches OpenAI or Anthropic.

Reg S-P 30-Day Breach Notice Readiness

The audit log records every prompt, every redaction outcome, and every service-provider hop. If a vendor's terms shift or a leak is suspected, you can identify affected customers within hours instead of weeks — the kind of evidence the new IRP rule expects.

Service-Provider Oversight, Built In

PortEden ships the service-provider documentation Reg S-P-aware programs typically need: contracts, control attestations, and the per-vendor data flow maps. One artifact for the SEC, your CCO, and your E&O carrier — not three.

Works With Claude, ChatGPT, and Copilot — No CRM Replacement

Keep using Redtail, Wealthbox, Salesforce FSC, or Black Diamond. PortEden sits in front of any AI tool — no plugin to install in your CRM, no per-adviser browser extension. Solo RIA to multi-office practice in days, not months.

Works With What You Already Use
Outlook
Outlook
Microsoft 365 inbox-side redaction for client comms
Gmail
Gmail
Inbox-side redaction for AI-drafted replies
Outlook Calendar
Outlook Calendar
Strip household names from review meeting titles
Teams
Teams
Microsoft 365 chat redaction for adviser coordination
With and Without PortEden

The Same Workflow, Two Very Different Outcomes

Drafting a Performance Email With ChatGPT
Without
Client name, account number, and balance detail sent to OpenAI in plain text — unauthorized access under the 2024 Reg S-P IRP rule.
With
Identifiers and balances replaced with placeholders before the request leaves your network. The AI drafts the email; PortEden re-hydrates the names locally.
Summarizing a Discovery Meeting With Claude
Without
Full household balance sheet — outside accounts, beneficiaries, spouse SSN — sent to Anthropic. Retained per their policy, not your service-provider terms.
With
Numbers and structure reach the model; identifiers and SSNs are placeholders. The AI proposes the plan without seeing whose household.
Inbox Search With Copilot or Gemini
Without
Every matching email — statements, beneficiary forms, account numbers — sent to the AI in plain text. Includes results the search ultimately discards.
With
Email content reaches the model with NPI replaced by placeholders. The AI ranks results without seeing the underlying account.
SEC Examination or 30-Day Breach Investigation
Without
No record of which client NPI went to which AI vendor. Reconstructing it from screenshots is the IRP gap the 2024 amendments were written to close.
With
Per-client, per-prompt audit log of every NPI flow, exportable on demand for the SEC, FINRA, your CCO, or your E&O carrier.
Multi-Adviser Rollout to Associates and Operations
Without
Each adviser follows AI policy by hand; one paste-and-prompt becomes a firm-wide breach-notice event.
With
Firm-wide Reg S-P defaults; per-household and per-account overrides flow from your CRM or portfolio system.
Try It on Your Book

Five-Minute Setup. Free for Solo RIAs.

Connect Outlook or Gmail via OAuth. Pick the Reg S-P profile. Keep using ChatGPT or Claude exactly the way you do today — with NPI protected by default.

See pricing

Frequently Asked Questions

Does using ChatGPT or Claude with PortEden count as unauthorized access under the new Reg S-P incident response rule?
PortEden replaces NPI with placeholders before the prompt leaves your perimeter. The third-party AI receives only the redacted version, so the unauthorized-access pathway the 2024 Reg S-P amendments were written to catch is closed at the boundary. You still owe the IRP, service-provider oversight, and 30-day notification obligations — but you have the audit evidence to demonstrate them.
What is the compliance deadline for the new Reg S-P amendments?
Larger RIAs (AUM ≥ $1.5B) had to comply by December 3, 2025. Smaller advisers must comply by June 3, 2026. PortEden's audit trail and service-provider documentation are designed to drop into the IRP and incident-notification workflows the rule requires — set up before the deadline rather than during your first incident.
How does PortEden help with the 30-day breach notice obligation?
The audit log records every prompt and every redaction outcome by client. If a vendor's terms shift or unauthorized access is suspected, you can identify the affected customers within hours, scope the disclosure, and produce the notification list the rule requires — instead of reconstructing it from inbox screenshots.
Will PortEden change my CRM or portfolio workflow?
No. PortEden runs in front of your AI, not your CRM. You keep using Redtail, Wealthbox, Salesforce FSC, Black Diamond, or whatever stack your practice runs on, and the redaction layer sits between any AI tool you launch and the data that AI is about to read.
Does PortEden help with FINRA Reg BI documentation?
Yes. The same per-client audit log that satisfies Reg S-P also documents Reg BI care-obligation work product — the AI-assisted recommendations a junior adviser drafted, the supervisor review, and the final version that went to the client. Two regulators, one record.
Can multi-office RIAs apply different redaction rules per state, branch, or custodian?
Yes. Set firm-wide Reg S-P defaults once; per-state, per-branch, and per-custodian overrides flow from your CRM or portfolio system. A New York DFS Part 500 branch rides a stricter profile while a non-NY branch uses the firm default — no one re-configures anything by hand.
What does it cost and how long does setup take?
There's a free tier for solo RIAs. Firm pricing scales by adviser — full pricing is on the pricing page. Setup is under 5 minutes for a solo adviser on Outlook or Gmail + ChatGPT or Claude. Multi-office firms typically take a half-day for SSO and CRM integration.

Keep Exploring

Ready to Use AI on Client Work Without the Reg S-P Risk?

Five-minute setup. Free for solo RIAs. Reg S-P-aligned audit log and 30-day breach-notice readiness from day one.

See pricing

Multi-office RIA or wirehouse? Talk to sales →