Trust & security

Where is data hosted?

All data is stored on Supabase, hosted on AWS infrastructure. Database and file storage reside in the same region.

Who handles authentication?

Authentication is managed by Supabase Auth with secure session cookies. Passwords are hashed and never stored in plaintext.

How is firm data isolated?

Every database table is protected by Row Level Security (RLS) policies keyed by firm_id. There is no application-level code path that can read one firm's data from another — the database enforces the boundary.

How are client links secured?

Client portal links use a cryptographically random token generated server-side. The token is hashed before storage. A raw token is never stored. Brute-force is computationally infeasible given token length and entropy.

Where are uploaded documents stored?

Documents are stored in a private Supabase storage bucket. They are never publicly accessible. Access is granted only through short-lived signed URLs generated server-side on authenticated request.

Do SSNs, EINs, or other sensitive identifiers enter the event log?

No. The event log records metadata — event type, timestamps, item references, hashes — not document contents or sensitive identifiers. Documents live in storage, referenced by ID.

How is the event log protected from tampering?

UPDATE and DELETE operations on the events table are blocked by database triggers — not application code. The constraint is enforced at the database level and cannot be bypassed by application logic.

What is the hash chain?

Each event carries the SHA-256 hash of the previous event's canonical JSON representation. The head hash of the chain is included in every exported record. A reviewer can verify the chain independently — if any event was altered, the chain breaks and the record says so.

When I share a record link, what can the recipient see?

The tokenized read-only link shows the defense record: determination, timeline, outstanding items table, and integrity hash. It does not expose raw documents, client contact details, or any other case data.

How long does a shared link stay active?

Shared record links do not auto-expire by default. You can revoke them from the case detail view. Future versions will add expiry settings.

Is Resoproof HIPAA or SOC 2 compliant?

Resoproof is not currently certified under HIPAA or SOC 2. We operate on Supabase infrastructure (which has its own security posture) and follow current security best practices. Certifications are on the roadmap as the product scales.

What happens to data if I close my account?

Contact us. We will export your data in a portable format and delete your firm's records on confirmed request. Data deletion policy will be formalized in the terms of service.