A short answer to "Is this vendor due-diligence ready?" — yes for solo and small-RIA, with a roadmap for IBD/enterprise.
All messages are written to AWS S3 Object Lock in Compliance mode immediately on send/receive. Object Lock satisfies SEC 17a-4(f) per Cohasset Associates' published assessment. Retention is configurable per organization at 5 / 7 / 10 years. Records cannot be deleted or modified during the retention window — not by us, not by you.
Each org chooses pre-review or post-review. In pre-review, messages whose lexicon match severity meets the threshold are held until a reviewer approves them. In post-review, messages send and the reviewer addresses flags afterward. Critical-severity matches (e.g. "non-public information") are blocked regardless of org policy.
Every contact has an immutable consent record. Outbound sends are gated server-side on consent status. Records include the method (single-attested / double-opt-in / inbound-initiated / imported / written form), evidence pointers, and the exact text version the contact agreed to. STOP, START, and HELP keywords are enforced at the carrier-recommended wording.
Every read, write, search, export, and admin action is logged with user/IP/timestamp/target. Audit log entries are insert-only. In production these live in a dedicated AWS account separate from operational workloads (separation of duties).
Each WORM object is stored with its SHA-256 alongside. A daily verification job re-hashes a rolling sample and alerts on any mismatch. Bit-rot, tampering, and any storage-layer error surfaces within 24h.
Email compliance@advisorlevel.com and we'll fill it out within 2 business days.