// Trust & Security Report

    AL Advisors Management Inc. logo

    AL Advisors Management Inc.

    Venture capital fund administration and investment management platform with modules for Venture Funds, SPVs, Scout Funds, Digital Subscriptions (investor management workflows), and Data Rooms

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Service Organization Controls (Soc2) (Type II) Trust Services Principles. The full report is available to customers upon request.

    Verify on trust-portal.angellist.com
    GDPR
    HELD

    Protects the personal data and privacy of EU citizens for transactions that occur within EU member states.

    Verify on trust-portal.angellist.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    AngelList uses Google Cloud Platform, which is ISO 27001 certified, but AngelList itself does not hold ISO 27001 certification. No public evidence of AngelList's own ISO 27001 certification.

    source: stack.angellist.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or coverage on AngelList's trust center or security pages.

    source: trust-portal.angellist.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on AngelList's trust center. AngelList uses payment processors (Plaid, Treasury Prime) but does not claim PCI DSS compliance itself.

    source: trust-portal.angellist.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification on AngelList's trust center or security pages.

    source: trust-portal.angellist.com
    FedRamp
    NOT CONFIRMED

    No public evidence of FedRamp compliance on AngelList's trust center or security pages.

    source: trust-portal.angellist.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States (Google Cloud Platform servers in Iowa and other US regions)

    AngelList explicitly states: 'AngelList does not allow company data to be used for training on third-party systems.' This restriction applies to their Tie Out Assistant AI feature.

    // Security controls

    Encryption in transit

    HTTPS and TLS encryption for data transmitted over the internet

    stack.angellist.com

    Encryption at rest

    Sensitive data encrypted at rest with encryption at multiple layers

    stack.angellist.com

    Multi-factor authentication

    Two-factor authentication required for fund transfers and sensitive operations; strong password + second authentication factor for system access

    stack.angellist.com

    Penetration testing

    Annual network and application penetration testing of production environment by third-party; critical and high-risk findings tracked to resolution

    trust-portal.angellist.com

    Vulnerability management

    Formal Vulnerability Management and Patch Management Policy with defined processes for responding to identified vulnerabilities

    trust-portal.angellist.com

    Access controls

    Granular user permission controls; strong password requirements; two-factor authentication for sensitive systems

    stack.angellist.com

    Audit logging

    Audit logs maintained for system access and changes

    stack.angellist.com

    Automated security scanning

    Automated security scanning of infrastructure and applications

    stack.angellist.com

    Incident response

    Formal Incident Response Planning documented and maintained

    trust-portal.angellist.com

    Change management

    Change Management and Development Controls documented with security requirements for secure software development and maintenance

    trust-portal.angellist.com

    Business continuity

    Business Continuity and Disaster Recovery planning with annual backup restoration testing

    trust-portal.angellist.com

    Data retention

    Data Retention and Disposal Policy specifies retention based on compliance requirements and contractual obligations; customer data removed upon request

    trust-portal.angellist.com

    Bug bounty

    Bug bounty program managed through Federacy

    stack.angellist.com

    // Products & data scope

    Venture FundsFund Administration

    data: Fund data, investor information, deal documents, cap tables, financial records

    Full-service fund management including administration, investor management, document handling

    SPVs (Special Purpose Vehicles)Fund Administration

    data: Deal-specific investor and financial data

    Enables raise of capital on deal-by-deal basis with access to AngelList Capital Network

    Scout FundsFund Administration

    data: Scout program management and deal pipeline data

    Reduces operational burden for launching or scaling scout programs

    Digital SubscriptionsInvestor Management

    data: LP subscription agreements and investor documentation

    Replaces subscription paperwork with digital workflows

    Data RoomDocument Management

    data: Confidential deal documents, fund documents, investor materials

    Secure document storage and sharing for fund data. SOC2 compliant.

    Investor PortalInvestor Management

    data: Investor account information, portfolio data, performance tracking

    Self-service portal for investor access to fund information

    // What to watch

    • ISO 27001 confusion: Third-party security profiles (e.g., Nudge Security) may infer ISO 27001 compliance based on Google Cloud certification, but AngelList itself does not hold ISO 27001 certification. The security page states 'Google Cloud Platform is ISO 27001 certified' (referring to GCP, not AngelList).
    • Over-claim risk in third-party sources: Nudge Security and similar profiles list HIPAA, PCI DSS, FedRamp, and CSA STAR as 'inferred' certifications for AngelList, but these are NOT documented on AngelList's own trust center. AngelList itself does not appear to claim these certifications publicly.
    • Privacy policy URL variations: Multiple URLs point to privacy policy (venture.angellist.com/privacy and venture.angellist.com/v/legal/privacy), suggesting possible recent URL reorganization. Content delivery was minimal on direct fetch; recommend confirming via contact.
    • GDPR compliance is stated as data protection commitment for EU citizens but no explicit mention of Data Processing Agreement (DPA) availability in public documentation.
    • Regulatory scope: AngelList is a venture capital/fund administration platform, not a healthcare provider or financial processor, which explains the absence of HIPAA and PCI DSS certifications.

    // At a glance

    Pricing model

    SaaS subscription with tiered plans based on fund size and feature needs; separate pricing for fund administration, investor management, digital subscriptions

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on AL Advisors Management Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust-portal.angellist.com

    > Browse all vendor trust reports