Yes. Your financial documents are encrypted in transit and at rest, isolated from other firms at the database level, and stored on infrastructure operated by SOC 2 Type II–compliant providers. Below is a plain-English summary of the controls in place and the steps you can take to harden your own account.
Encryption
- In transit: All traffic between your browser and our servers is encrypted using TLS 1.2 or higher.
- At rest: All files in storage and rows in the database are encrypted using industry-standard encryption managed by our cloud provider.
- Payments: Card details are handled directly by Stripe — we never store full card numbers.
Infrastructure
- Database, authentication, and file storage run on Supabase, hosted in SOC 2 Type II–compliant data centers.
- Application backend runs on Render.
- AI classification calls go to the Anthropic Claude API. Per Anthropic policy, your data is not used to train their models.
Access Controls
- Row-level security policies on the database enforce strict isolation — one firm cannot read another firm's data.
- Multi-factor authentication (MFA) is enforced for all administrative and staff accounts.
- Significant actions (uploads, downloads, role changes) are written to an audit log.
- Every uploaded file is scanned for malware and validated against MIME type and a 20 MB size limit before processing.
What You Can Do
- Use a unique, strong password for your account (12+ characters, not reused elsewhere).
- Turn on two-factor authentication from Settings → Security → Two-Factor Authentication.
- Use the Session Settings → Auto Sign-Out toggle to log out automatically on shared devices.
- Only invite team members you trust, and remove access promptly when someone leaves.
If you suspect your account has been compromised, change your password immediately and email support — we will review the audit log with you.