Frequently asked questions

The defense record is a structured document generated from Resoproof's append-only event log. It includes: a determination (whether the case is complete or outstanding), a full timestamped timeline of every action taken, a list of any outstanding items with fault attribution, and a hash-chain integrity proof showing the log has not been tampered with. It can be exported as a PDF or shared via a read-only tokenized link.

Staff at your firm can view and export the record from the case detail page. You can also generate a read-only share link that lets any recipient view the record without logging in — useful for sending to a refund bank, chargeback adjudicator, or legal counsel. Share links expire and can be revoked.

Yes. Resoproof integrates with Resend to send document-request emails and automatic reminder sequences from a verified sender you configure. Delivery, opens, and link clicks are tracked and written to the event log. If you prefer not to configure a real email provider, a simulate mode lets you demo the full flow without sending real mail.

Once all cadence steps are exhausted, the schedule deactivates and the item remains outstanding. The defense record reflects this accurately: the item shows as outstanding, all send attempts and non-responses are on the timeline, and fault is attributed to the client. This is often the most valuable state for a chargeback dispute.

Yes. In Settings you can set cadence days as any array of positive integers — for example [3, 7, 14] fires reminders at three, seven, and fourteen days after the initial request. Changes apply to new cases immediately; existing cadence schedules keep their current timing.

No. Clients receive a secure link containing a high-entropy token. Clicking it takes them directly to their portal — no username, no password. The token is hashed before storage, expires after 30 days by default, and can be revoked by staff at any time.

Any file type is accepted. Files are stored privately in a Supabase Storage bucket and served only via short-lived signed URLs. The raw document content never passes through the event log — only the upload event (filename, size, timestamp, item reference) is recorded there.

The append-only constraint and hash computation are enforced at the PostgreSQL trigger level, not in application code. Even a database administrator using a direct connection cannot alter or delete an event without breaking the chain — and the verify_event_chain function will detect it. The record always reports whether the chain verified cleanly.

Yes. The PDF is generated server-side with React-PDF and contains the full determination, timeline, outstanding items, and the integrity hash with verification status. It is suitable for attaching directly to a chargeback response.

No. The event log records structural facts only: what happened, when, to which item, by which actor. SSNs, EINs, and other sensitive identifiers are never written to the event log or uploads metadata. Actual document content lives only in the private storage bucket.

Every table has a firm_id column. Supabase Row Level Security policies enforce that every query is scoped to the authenticated user's firm. There is no API path that can return another firm's data, and firm IDs are never user-supplied in requests — they are always read from the server-side session.

Signing up creates your firm automatically — you do not need to configure a firm separately. From there, add a client, create a case, add items, and send the first request. The whole setup takes under five minutes.