Trust & Security

This page is maintained by BankToBooks to answer common security and privacy questions. It describes controls currently in place, not independent audit certifications.

TLS 1.2+ everywhere
AES-256 at rest
SOC 2 Type II in progress
ISO 27001 roadmap 2026

Encryption

All traffic uses TLS 1.2+; certificates are auto-rotated. Uploaded files and extracted data are encrypted at rest with AES-256 by our storage provider.

Retention

Anonymous conversions are deleted within 24 hours. Signed-in users control retention from their dashboard; default is 30 days. Deletion propagates within 7 days across backups.

Compliance roadmap

SOC 2 Type II observation window began Q2 2026 with our auditor (name shared under NDA). ISO 27001 stage-1 targeted for early 2027. GDPR + CCPA processes are already in place — see the privacy policy.

Subprocessors

  • Supabase (managed Postgres + storage, EU/US regions)
  • Cloudflare (edge network, DDoS)
  • Resend (transactional email)
  • Stripe (payments)

Access control

Role-based access with row-level security on every user-scoped table. Admin actions require SSO with MFA. All employee access is logged.

Report a vulnerability

Email security@banktobooks.com. See security.txt for our coordinated-disclosure policy. Median response: 24 hours.

Data-processing addendum (DPA)

A signable DPA is available for any paying customer. Email legal@banktobooks.com to request the current version.