Compliance & Due Diligence Resources

This document is intended to direct financial advisors, their compliance departments, and broker-dealers to the resources necessary for reviewing Levitate in connection with supervisory approval. It consolidates references to the information most relevant to regulatory considerations, firm policies, and due diligence requirements.


Trust Center

A live view of our security controls is accessible in our Trust Center. Our Annual SOC 2 Report and Disaster Recovery Plan are available here but require approved access and acceptance of our MNDA. Requests to access these documents will be reviewed and approved by Levitate’s Compliance team.  


Levitate Features

  • A short Levitate Demo tailored for Financial Professionals can be viewed here
  • Deeper feature dives, details, and integration information can be found in our Knowledge Base. Some features may be turned off based on your guidelines.

FAQs

Q: How does Levitate’s email feature work?

A: Levitate requires email credentials in order to connect to your email provider on your behalf to send email, interact with your calendar and address book. Your credentials will be encrypted and stored with a unique encryption key managed by Amazon Web Services Key Management Service. The encryption key never leaves Amazon's secured environment. At no time, do we store any unencrypted versions of your credentials. If you wish to remove Levitate's access, you simply change your password with your email provider.


Q: How does Levitate manage email passwords?

A: For Office 365 and Google Workspace, Levitate leverages OAuth, an open-standard authorization protocol that enables applications to obtain secure, delegated access. By design, OAuth restricts our access strictly to the permissions required for Levitate to function effectively. Importantly, OAuth does not transmit or expose password data. Instead, it utilizes secure authorization tokens to establish identity and facilitate communication between your email server and the Levitate application. This means you can grant Levitate access without ever sharing your password, significantly reducing risk. In the unlikely event of a security incident, your email password would remain fully protected.  For Microsoft Exchange and IMAP email servers, credentials must be retained for integration purposes. Levitate manages these credentials with the highest level of security. All stored credentials are encrypted using Amazon Web Services (AWS) Key Management Service (KMS). AWS KMS employs FIPS 140-2 validated hardware security modules to safeguard encryption keys, and each user’s credentials are protected with a unique encryption key. These keys never leave the hardware modules, ensuring an additional layer of protection. Access to Levitate’s KMS system is highly restricted and granted only to the company’s Chief Architect and Founder/CEO.


Q: How does email archiving work?

A: Any emails you send via Levitate will come from your email server. Those emails will follow your existing Archiving protocol (i.e. Smarsh, Global Relay) and will archive as if you natively sent individual emails from your regular email service.  


Q: How does compliance approval work for content?

A: There are two options.  You may either use the Compliance Flow or Broker Dealers may request an account in which they can review content and approve or reject content in the library.  Advisors under that Broker Dealer will be able to see which content was pre-approved by their compliance team.  


Further Assistance Needed

If you require a vendor due diligence questionnaire to be completed by Levitate, please send it to security@levitateapp.com


If you need further clarification on features, functionality, or anything else, reach out directly to your account's Success specialist.

Still need help? Contact Us Contact Us