Security

Effective date: June 15, 2026  ·  Last updated: June 15, 2026

Bamboo Capital, LP is a private single-family office. We maintain a written information security program designed to protect the personal and financial information of the principal and his immediate family. This page summarizes our practices. Detailed internal policies (Information Security, Access Control, Data Retention & Deletion) are maintained internally and are available to vendors on request under appropriate confidentiality terms.

Scope

Our security program covers:

• Cloud-hosted productivity and communication services (email, document storage, calendar)
• Financial account aggregation data received via Plaid and similar providers
• Endpoint devices used by the principal and one bookkeeper
• Vendor relationships that process family-office data

Access controls

• Access to financial account data is limited to two named internal users: the principal of Bamboo Capital and one bookkeeper.
• All accounts that hold or access family-office data are protected by multi-factor authentication (TOTP, hardware key, or platform passkey, depending on the service).
• Access is reviewed at least annually and on any role change or vendor change.
• Access is revoked within one business day of role termination or device loss.

Authentication and credentials

• Account credentials are stored in a password manager that is itself protected by a strong master credential plus a second factor.
• We never share credentials over email or chat.
• API keys and OAuth tokens are stored in encrypted local files with owner-only read permissions on the device that uses them, and are rotated when there is any indication of compromise.

Endpoint protection

• All endpoint devices use full-disk encryption (FileVault, BitLocker, or equivalent).
• Operating systems and applications are kept up to date with security patches.
• Endpoint protection software is enabled on all devices that handle family-office data.
• Devices are configured to lock automatically after a short period of inactivity and require authentication on resume.

Data in transit and at rest

• All data exchanged with third-party services uses TLS 1.2 or higher.
• Data at rest on endpoint devices and cloud services is encrypted using vendor-provided encryption (typically AES-256).
• Cached financial-account snapshots used for internal dashboards are stored only on encrypted endpoints with owner-only file permissions.

Vendor risk management

• We use a small, deliberate set of vendors: Plaid (account aggregation), Google Workspace (email and document storage), Squarespace and GitHub Pages (website hosting), and our financial custodians (Charles Schwab & Co. and others).
• Each vendor is reviewed for SOC 2, ISO 27001, or equivalent certification at onboarding and at least annually thereafter.
• We do not grant vendors broader access to our data than is needed to deliver the contracted service.
• We do not share family-office data with advertising or analytics providers.

Data retention and deletion

• Financial-account snapshot data is retained only while the corresponding linked account is active.
• When an account is unlinked, the corresponding aggregation token is revoked and the cached snapshot is deleted within 30 days, unless the data must be retained for tax, accounting, or legal purposes (typically seven years).
• Routine backups are retained for 90 days and then rotated out. Data deleted from primary systems is removed from backups within that rotation window unless covered by a legal hold.

Incident response

We maintain a written incident response procedure. In summary:

• Suspected incidents are investigated immediately by the principal.
• Affected credentials, tokens, and access paths are revoked or rotated.
• Affected vendors and custodians are notified as required by their terms and by applicable law.
• The incident is documented internally and the lessons applied to our written policies.

If a security incident materially affects information about a third party, we will notify the affected party in accordance with applicable law.

Reporting a vulnerability

If you believe you have found a security issue affecting bamboo.me or any system operated by Bamboo Capital, LP, please email assist@bamboo.me with the details. We appreciate responsible disclosure.

Contact

assist@bamboo.me