Security & trust
What we do to protect your compliance data. Last updated 2026-05-15.
Encryption
—
TLS 1.3 in transit (Cloudflare edge + origin)
—
Passwords hashed with bcrypt (cost 10) — we cannot read them
—
Password reset tokens sha256-hashed before DB write (plaintext only in the email link)
—
API keys sha256-hashed in DB (plaintext shown ONCE on creation)
—
NextAuth JWT sessions signed with HMAC-SHA256, secret rotated independently of database
Multi-tenant isolation
—
Every database row carries an
orgId foreign key—
Every server-side API route calls
requireOrgId() from JWT before any query—
Public API keys (Bearer msk_…) are scoped to a single org; org-leakage is structurally impossible
—
SQL queries always filter on
orgId first; no global queries from app codeAudit log
—
Every mutation (property create/update/delete, permit changes, tax filings, document uploads, subscription events, password resets, API key issuance/revocation) is logged with actor + IP + JSON change diff
—
Append-only — admins cannot delete entries from the UI
—
Available to org admins at /admin/audit-log
Subprocessors
We share customer data with these subprocessors only as needed for the service to function. None of them have a contractual right to use your data for their own purposes.
| Vendor | Purpose | Data shared |
|---|---|---|
| Stripe | Billing / payments | Org name, email, billing address (collected by Stripe directly) |
| Anthropic | Claude document classification | Uploaded image/PDF bytes (when you upload to /documents) |
| Resend | Email delivery (reminders, password resets) | Recipient email, subject, body text |
| Cloudflare | DNS, edge SSL, OG image generation | HTTP request metadata; no DB data |
| Vultr | Hosting (Honolulu / SJC) | All app data — encrypted at rest via filesystem-level encryption |
Data retention + deletion
—
You can delete your account and all associated data from Settings — most data deleted within 30 days
—
Audit log entries are retained for compliance — even if you delete a property, the audit records of who created/modified it remain
—
Backups retained 7 days at rest, deleted after
—
Tax filings: we don't delete records of tax filings you've already filed — those are part of your compliance defense
Cookies + tracking
—
Only functional cookies: NextAuth session + CSRF protection
—
No analytics scripts, ad pixels, or cross-site tracking
—
Banner notifies users on first visit; dismissal stored in localStorage (not a cookie)
Security headers
Every response includes:
Strict-Transport-Security: max-age=63072000; preload (via Cloudflare) Content-Security-Policy: default-src 'self'; script-src 'self' … X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(self)
Rate limits
—
Login: 5 attempts per IP+email per 15 minutes
—
Registration: 5 per IP per hour
—
Password reset request: 5 per IP per hour, doesn't reveal whether an email exists
—
Document classification: 30 per IP per hour
—
Public API (per key): 1,000 requests per hour
Live status
Real-time public health page at /status — DB ping, reminder queue depth, last cron run, integrated service flags.
Vulnerability reporting
Found a vulnerability? Email [email protected]. Please don't open public GitHub issues for security-sensitive findings. We acknowledge reports within 48 hours and aim to patch high-severity findings within 7 days.
We don't currently offer a paid bug bounty, but we'll credit you on the next changelog entry if you'd like.
What we DON'T do
—
Sell, rent, or share data with third parties beyond the subprocessors listed above
—
Train AI models on your data (Anthropic processes uploads via their API but doesn't train on them per their API ToS)
—
Read your documents for analytics — the Claude classify call returns the extraction directly to your record
—
Track you across the web — no Google Analytics, no Facebook Pixel, no Hotjar
Questions for procurement or your security team?
Email [email protected]