Security

How ScrublyIQ protects your data, your merchants, and your business.

Data Security

  • Bank statement PDFs are deleted after 3 days. Deal Card intelligence is retained permanently.
  • All uploaded statements are stored in encrypted Supabase storage buckets, never on local disk.
  • Merchant names and business locations are encrypted at rest using AES-256-GCM before database storage.
  • All data is encrypted in transit via TLS 1.2+.
  • HSTS (HTTP Strict Transport Security) is enforced with a 2-year max-age and preloading.
  • When bank statement text extraction requires additional processing, a temporary 60-second expiring link is used. Raw PDF content and financial data are never transmitted to external services.

Access Control

  • Authentication is provided by Clerk, a SOC 2 Type II certified identity provider.
  • Every API endpoint requires authentication. No unauthenticated data access is possible.
  • Multi-factor authentication is available and recommended for all accounts.
  • Role-based access: organization administrators control member access and can suspend users with immediate session invalidation.
  • All data access is scoped to the authenticated user’s account or their organization.

Fraud & Compliance Screening

  • Every analysis automatically screens the merchant against the OFAC Specially Designated Nationals (SDN) list.
  • PDF metadata forensics run on every uploaded statement to detect post-creation modifications.
  • Statement balance reconciliation verifies mathematical consistency to detect edited transactions.
  • Duplicate statement detection prevents the same file from being analyzed twice.
  • Business verification data (name, address, registration number) submitted by brokers is shared with trusted verification partners including OpenCorporates, Melissa Data, UniCourt, Middesk, IRS TIN Matching, Smarty, and Google Places. Bank statement content, transaction history, account numbers, and financial records are never transmitted to any third-party service.

Infrastructure

  • Hosted on Vercel’s global edge network with automatic failover.
  • Database hosted on Supabase PostgreSQL with automated nightly backups retained for 90 days.
  • Row-Level Security (RLS) is enabled on all database tables.
  • Rate limiting on all API endpoints via Upstash Redis distributed rate limiters.
  • Audit logging captures all authentication events, admin actions, and data access.

Privacy

  • We do not sell, rent, or share your data with third parties for marketing purposes.
  • Bank statement PDFs are processed solely for the purpose of generating analysis results and are deleted within 3 days.
  • You may request deletion of your account and all associated data at any time from your account settings.

Read our full Privacy Policy.

Responsible Disclosure

  • If you discover a security vulnerability, please email security@scrublyiq.com.
  • We commit to acknowledging reports within 48 hours and resolving critical issues within 7 days.