Trust & Security
This page is maintained by BankToBooks to answer common security and privacy questions. It describes controls currently in place, not independent audit certifications.
Encryption
All traffic uses TLS 1.2+; certificates are auto-rotated. Uploaded files and extracted data are encrypted at rest with AES-256 by our storage provider.
Retention
Anonymous conversions are deleted within 24 hours. Signed-in users control retention from their dashboard; default is 30 days. Deletion propagates within 7 days across backups.
Compliance roadmap
SOC 2 Type II observation window began Q2 2026 with our auditor (name shared under NDA). ISO 27001 stage-1 targeted for early 2027. GDPR + CCPA processes are already in place — see the privacy policy.
Subprocessors
- Supabase (managed Postgres + storage, EU/US regions)
- Cloudflare (edge network, DDoS)
- Resend (transactional email)
- Stripe (payments)
Access control
Role-based access with row-level security on every user-scoped table. Admin actions require SSO with MFA. All employee access is logged.
Report a vulnerability
Email security@banktobooks.com. See security.txt for our coordinated-disclosure policy. Median response: 24 hours.
Data-processing addendum (DPA)
A signable DPA is available for any paying customer. Email legal@banktobooks.com to request the current version.