Encrypted on your machine
The app keeps your records in an encrypted database on your own computer, protected by a key your operating system safeguards on the device — so the data isn’t readable if a machine or backup drive is lost or stolen.
Your portfolio data never leaves your institution.
FI Investment Tracker runs entirely on your own machine. Your holdings, CUSIPs, GL balances, source files, and reconciliation work stay inside your network — they are never uploaded to our cloud, because there is no cloud copy to breach, subpoena, or lose. The only thing our servers ever see is your license and billing status. This page explains exactly how that boundary works, so your IT, security, and exam teams can verify it themselves.
We are a new company and do not hold a SOC 2 report yet. We would rather tell you that plainly than imply otherwise. Here is why it matters less in our model: a SOC 2 attests to how a vendor protects the customer data it hosts. We host none of your portfolio data — it stays on your machine — so the usual cloud-breach surface that SOC 2 governs does not exist here.
What our servers do hold (your license and billing status) is the narrow boundary documented below, and we will pursue formal attestation as we grow.
Because the software is local-first, you are not waiting on a vendor security program to keep your data safe — your data never reaches us in the first place. You install it on your own machine, your records stay encrypted on that machine, and your IT and security team can verify every claim on this page before and after purchase. There is no hosted portfolio to onboard, no data-residency questionnaire to clear, and nothing to migrate off later.
We can’t leak what we never hold
We never store your portfolio, imported data, reports, general ledger balances, or reconciliation files on our servers. They live only on your computer, so there is no vendor-side copy of your data to breach.
We only see your license, never your book
Our servers handle billing, licensing, and support diagnostics — walled off from your financial records and any borrower documents.
Built to be verified, not just trusted
How we verify software authenticity, test backups and restores, keep audit trails, handle support, and store local backups is all documented and available for your IT or security team to review.
Automatic backups
The app backs up your data automatically, and you can run a backup yourself anytime. Each backup is checked to confirm it’s complete, and a safety copy is made before any restore so you can never lose work.
License separation
The license server receives license key and machine identity information, not holdings, CUSIPs, source files, or report packages.
Code-signed installers you can verify
Every Windows installer is digitally signed by the verified publisher GRANITE HALL SOLUTIONS LLC — the name your own machine displays at install time, confirming the file is authentic and unmodified. We also publish a verification fingerprint for each release so your IT team can confirm the download independently, and every build must clear release-channel and integrity checks before it reaches you. For your IT or security team: Windows builds are Authenticode code-signed with a published SHA-256 checksum; macOS builds add Developer ID signing and Apple notarization.
Built-in audit trail
The app keeps a record of key actions — data imports, approvals, restores, reports generated, and other security-sensitive events — so you have a clear audit trail of who did what and when.
Stricter rules for borrower data
The optional Online Loan Applications add-on is the one place applicants’ personal information is involved, so we hold it to a deliberately higher bar: encrypted hosted document storage, malware scanning, separation of each institution’s data, defined retention rules, e-signature consent tracking, and legal review before it’s turned on for live applicants. None of this touches the local-first investment tracker described above.
Support never needs your sensitive files
To help you, our support team only needs logs, screenshots, your version number, and a description of the steps to reproduce an issue. Please don’t send portfolio files or borrower documents unless we’ve set up a separate, written secure path with you first.
Security was the hard part. The rest is straightforward.
Your data stays yours, every release is signed and verifiable, and every claim here is documented for your reviewers. When your team is ready, pricing is public and you can be running on one real source file the same day.