Security

How ScrublyIQ protects your data, your merchants, and your business.

Data Security

  • Bank statement PDFs are permanently deleted within 72 hours of upload.
  • Within 72 hours, the merchant’s identity, the masked bank-account identifier, all third-party enrichment and verification results, and broker notes are permanently purged. A de-identified analysis record — date, status, risk tier, and an aggregated financial summary (monthly totals, ratios such as DSCR, the fundability score, and the underwriting narrative) — is retained for the broker’s portfolio history. The raw statement documents and transaction-level detail do not survive this window.
  • Account numbers are never stored in full — only the last four digits are retained. Routing numbers are never stored.
  • Raw statement text is never persisted after extraction; it exists only transiently in memory during processing.
  • All uploaded statements are stored in private, encrypted Supabase storage — never on local disk and never publicly accessible. They are served only through short-lived signed URLs scoped to the authenticated broker.
  • Merchant names, business locations, and all enrichment data are encrypted at rest using AES-256-GCM before database storage.
  • All data is encrypted in transit using TLS (1.2 minimum; TLS 1.3 with modern clients).
  • HSTS (HTTP Strict Transport Security) is enforced with a 2-year max-age and preloading.
  • When bank statement text extraction requires additional processing, a temporary 60-second expiring link is used. Raw PDF content and financial data are never transmitted to external services.

Access Control

  • Authentication is provided by Clerk, a SOC 2 Type II certified identity provider. ScrublyIQ never stores broker passwords — credentials are managed entirely by Clerk.
  • Every API endpoint requires authentication. No unauthenticated data access is possible.
  • Multi-factor authentication is available and recommended for all accounts.
  • Role-based access: organization administrators control member access and can suspend users with immediate session invalidation.
  • All data access is scoped to the authenticated user’s account or their organization.

Fraud & Compliance Screening

  • Every analysis automatically screens the merchant against the OFAC Specially Designated Nationals (SDN) list.
  • PDF metadata forensics run on every uploaded statement to detect post-creation modifications.
  • Statement balance reconciliation verifies mathematical consistency to detect edited transactions.
  • Duplicate statement detection prevents the same file from being analyzed twice.
  • Business verification data (name, address, registration number) submitted by brokers is shared with trusted verification partners including OpenCorporates, Melissa Data, UniCourt, Middesk, IRS TIN Matching, Smarty, and Google Places. Bank statement content, transaction history, account numbers, and financial records are never transmitted to any third-party service.

Infrastructure

  • Hosted on Vercel’s global edge network with automatic failover.
  • Database hosted on Supabase PostgreSQL with encrypted automated backups for disaster recovery, purged on a rolling cycle.
  • Row-Level Security (RLS) is enabled on all database tables.
  • Rate limiting on all API endpoints via Upstash Redis distributed rate limiters.
  • Audit logging captures all authentication events, admin actions, and data access.

Privacy

  • We do not sell, rent, or share your data with third parties for marketing purposes.
  • Bank statement PDFs are processed solely for the purpose of generating analysis results and are deleted within 72 hours.
  • You may request deletion of your account and all associated data at any time from your account settings.

Read our full Privacy Policy.

Responsible Disclosure

  • If you discover a security vulnerability, please email security@scrublyiq.com.
  • We commit to acknowledging reports within 48 hours and resolving critical issues within 7 days.