For RIAs and broker-dealers

AI supervision and recordkeeping for investment firms

Your team uses ChatGPT, Claude, and Copilot every day. TinyFox gives your firm a complete record of how — with the audit trail, supervisory controls, and policy enforcement your next SEC or FINRA examination will ask about.

Book a 15-minute call See how it works

app.tinyfox.ai · Acme Capital LLC · Compliance dashboard

Compliance dashboard

Last 30 days

Live · 14:32 ET

AI interactions

+18%

14,200

this month, firm-wide

Sensitive data blocked

−2

last 30 days

Supervisory queue

pending review

Retention

7-yr policy

7 yrs

tamper-proof

AI interactions logged

14,200 total · 8 blocked · 12 flagged for review

Last 14 days

Jan 31

Clean Flagged Blocked

Feb 13

Supervisory queue

12 pending

Quarterly letter draft — performance claim

s.patel · Client Service · 3 min ago

Rule 206(4)-1

Client email blocked — SSN detected

a.chen · Client Service · 11 min ago

PII policy

Account note flagged — possible MNPI

j.martinez · Investment Research · 28 min

Rule 204A-1

Marketing copy — testimonial language

m.kumar · Operations · 1 hr ago

Rule 206(4)-1

8 more in queue View all →

Spend by team

Feb 2026

Investment Research $1,200

Client Service $640

Operations $380

Compliance (read-only) $180

Total

$2,400

Budget

$3,500

vs. Jan

−14%

AI providers your team already uses

OpenAI Anthropic Google Microsoft Copilot

+ in-browser tools via Chrome extension (coming May 2026)

The fastest path to AI compliance

One config change. Full coverage. No SDK, no code changes, no multi-team rollout. Setup in 15 minutes.

.env

Before

OPENAI_BASE_URL=https://api.openai.com/v1

After

OPENAI_BASE_URL=https://api.tinyfox.ai/v1

That's it. Every call now flows through TinyFox.

✓

Every request logged

Tamper-proof audit trail with full prompt, response, user, team, and cost attribution.

✓

PII scanned and blocked

SSNs, credit cards, and sensitive data caught before they reach the model.

✓

Policies enforced

Model restrictions, budget limits, and usage controls — all at the API layer.

✓

Compliance evidence generated

Audit-ready exports built from your actual usage data, not a spreadsheet assembled over the weekend.

What TinyFox captures

Evidence your compliance program can rely on

📚

Books and records

Every AI interaction logged with full prompt, response, user, team, model, and timestamp. Tamper-proof, indexed, and exportable.

🔍

Supervisory review

Flagged interactions queued for compliance review. PII, policy violations, or content meeting your firm's risk criteria — surfaced, not buried.

📣

Marketing rule controls

Content checks on AI-assisted client communications. Catch performance claims, testimonials, and other marketing-rule triggers before they ship.

💰

Cost and usage attribution

Spend, tokens, and request volume attributed by user, team, and provider. Anomalies flagged. No more month-end surprises.

The rules that govern AI usage at investment firms

For RIAs (SEC-regulated)

Investment Advisers Act Rule 204-2 — Books and Records
Rule 206(4)-7 — Compliance Program Rule
Rule 206(4)-1 — Marketing Rule
2025 SEC Examination Priorities — AI flagged as focus area

For broker-dealers (FINRA-regulated)

FINRA Rule 3110 — Supervision (WSPs must address AI tools)
FINRA Rule 4511 — Books and Records (AI-generated communications)
FINRA Rule 2210 — Communications with the Public
FINRA Regulatory Notice 25-07 — request for comment on AI; signals examiner focus

TinyFox gives your compliance program the evidence and controls these rules require, without slowing your team down.

Sources: SEC.gov — Investment Adviser rules · FINRA.org — Rules & Guidance · FINRA Reg Notice 25-07

Flying blind gets expensive fast.

60%

of organizations have no visibility into AI usage

Cisco, 2025

39.7%

of data input to AI tools is sensitive

Cyberhaven, 2026

$670K

added to average breach cost from shadow AI

IBM, 2025

Built for the people who own AI risk at your firm

Chief Compliance Officer

Show your next examiner exactly how AI is used at your firm

Complete books and records, supervisory review trail, and marketing-rule controls — all generated from your firm's actual AI usage, not a spreadsheet assembled the week before the exam.

Managing Partner / President

Protect your firm's reputation on every client communication

AI-assisted client emails, market commentary, and proposals all flow through one place. Sensitive data caught. Performance claims flagged. The risk doesn't sit in a dozen private ChatGPT tabs.

Chief Operating Officer

One source of truth for AI tools, costs, and risk

Spend by team, model, and provider. Policies enforced at the API layer. Vendor sprawl replaced with a single line item, a single audit trail, and a single place your CCO can answer to.

Book a 15-minute call See how it works

Books and Records

What your examiner sees

Every AI interaction your team had — timestamped, attributed, and tamper-proof. Filterable by team, user, model, content category, and status. Exportable in the format your compliance team needs.

Audit Trail — Request Log

Timestamp Team User Content Model Tokens Status

14:32:07 Investment Research j.martinez 10-K summary GPT-4 2,847 Clean

14:31:44 Client Service a.chen Email draft GPT-4o — Blocked

14:31:12 Client Service s.patel Quarterly letter Claude 3,420 Review

14:30:38 Operations m.kumar Policy lookup GPT-4o 1,203 Clean

Showing 4 of 14,200 interactions

Export CSV ↓

Sensitive data detected, blocked, and documented

If a client SSN, account number, or piece of MNPI ends up in a prompt, that's a compliance incident with no record. No evidence it happened, no proof you tried to stop it, and nothing for your CCO to bring to the next exam.

TinyFox scans every prompt before it reaches the model — SSNs, account numbers, client PII, material non-public information, and credentials. Requests are blocked in real time, and every incident is logged to a tamper-proof audit trail with full context for your compliance team.

Sensitive data detected in prompt

SSN (***-**-4832) found in request from client service team · gpt-4o

Request blocked

Prompt never reached the model · policy: block-pii-critical

Incident documented · Audit log updated

Full context logged · compliance evidence preserved · team notified

Your AI policy is a PDF nobody reads.
TinyFox enforces it.

Every company has an acceptable use policy for AI. Almost none can enforce it. TinyFox does — automatically, at the API layer, before the data ever leaves your network.

Block sensitive data in prompts

Requests containing SSNs, account numbers, client PII, or material non-public information are caught and blocked before they reach the model.

Restrict models by team

Investment Research gets GPT-4. Client Service gets Claude Haiku. Compliance gets read-only access. You decide.

Budget guardrails

Set spend limits per team. Get Slack alerts on spikes. No more month-end surprises from runaway experiments.

Attribute every dollar of AI spend

When your COO asks how AI spend tracks against your operating budget, you need an answer — by team, content category, and provider. Not a guess. Not a single line item on a vendor invoice.

TinyFox attributes every request automatically, so cost is traceable, anomalies are flagged, and your books reflect what each team actually used AI for.