Protecting Customer Information

How does Webull protect my personal information?

Protecting your personal data isn’t just a regulatory requirement at Webull—it’s a core principle of our business. We understand that trust is essential in any financial relationship, so we implement rigorous security practices and uphold high ethical standards to safeguard your information.

This page outlines how we collect, manage, and secure your data, and the steps we take to keep your account safe.

Why does Webull collect my personal information?

We collect personal information to provide and enhance our services, meet regulatory obligations, and protect users from fraud. This includes:

• Identity data: Legal name, date of birth, Social Security number
• Contact details: Phone number, email, mailing address
• Financial information: Income details, bank account data
• Usage data: Device identifiers, login behavior, and platform activity

This data supports account setup, verification, ongoing servicing, and security.

What security measures are in place to protect my data?

Webull uses advanced, industry-standard protections across all systems, including:

• Access controls to prevent unauthorized usage.
• Intrusion detection systems and active threat monitoring.
• Routine vulnerability scans and penetration testing.
• Incident response plans for rapid mitigation.
• Encryption of all data—both in transit and at rest.
• System monitoring to maintain reliability and uptime.
• Disaster recovery and business continuity protocols.
• Annual independent audits, including SOC 2 Type 2 assessments.

These measures help ensure the confidentiality, integrity, and availability of your personal data.

Is my information encrypted?

Yes. All personal data is encrypted in transit and at rest using strong, modern encryption protocols to help ensure its security.

Where is my data stored?

Webull hosts customer data on Amazon Web Services (AWS) cloud infrastructure:

• Primary location: Northern Virginia
• Backup location: Northern California

Both facilities are within AWS’s North America data center network.

How is my account protected from unauthorized access?

We implement multi-layered account protections:

• Multi-factor authentication (MFA).
• Device and behavioral monitoring to detect abnormal logins.
• IP screening to block suspicious or unrecognized access attempts.

These tools provide additional layers of defense beyond your username and password.

Does Webull share my information with third parties?

We only share personal information with third-party service providers when required to operate our services or comply with the law. These providers are contractually obligated to uphold strict data security and confidentiality standards. Webull does not sell your personal data or share it with marketing firms.

Can I control or update my privacy settings?

Yes. You can access, update, or delete your personal data through the Webull app or website. If you need help managing your settings, our support team is available to assist.

How does Webull comply with privacy regulations?

Webull adheres to all relevant data protection laws, including:

• Regulation S-P
• California Consumer Privacy Act (CCPA)

We maintain dedicated privacy and security teams to ensure our practices evolve with legal and regulatory developments.

What should I do if I believe my account was compromised?

If you suspect unauthorized activity on your account or believe your personal information has been exposed, please contact Webull’s support team immediately. We’ll assist you in securing your account and conducting an investigation.

What is a SOC 2 Type 2 audit?

A SOC 2 Type 2 audit is an independent review of an organization’s data security controls over time, evaluating five trust principles: security, availability, processing integrity, confidentiality, and privacy. Unlike a Type 1 audit (which reviews a single point in time), Type 2 measures how effectively those controls operate over at least six months.

Why is this audit important?

A SOC 2 Type 2 report provides third-party assurance that a company consistently maintains robust data protection protocols. It reduces the risk of breaches, supports regulatory compliance, and strengthens customer trust.

What does Webull’s SOC 2 Type II compliance mean?

In October 2024, Webull Financial LLC’s parent company, Webull Corporation, successfully completed a SOC 2 Type II audit with an unqualified opinion, meaning the audit found no significant exceptions. This validates our commitment to security, operational reliability, and responsible data handling.

Who performed the audit?

The audit was conducted by Prescient Assurance, a public accounting firm specializing in global risk and compliance frameworks including SOC 2, PCI, ISO, GDPR, HIPAA, and more. For more information about Prescient Assurance, you may reach out them at info@prescientassurance.com.