ibookk handles financial and tax-sensitive data. We design every layer assuming a single mistake could expose customer information and treat it accordingly.

Data in transit

All traffic between your browser and ibookk runs over TLS 1.2 or higher. The marketing site, the application, and every webhook endpoint reject plain HTTP. Public traffic flows through Cloudflare with HSTS enforced.

Data at rest

Customer data lives in Supabase (Postgres) with AES-256 disk-level encryption. Backups are encrypted with the same key class. Service-role keys, Stripe keys, and AI provider keys are kept in environment variables, not in source code or version control.

Tenant isolation

Every customer-facing table has Postgres Row-Level Security (RLS) policies that scope rows to the authenticated user's organization. The service-role client (used by server actions) explicitly filters by entity_id and organization_id in every query. We audit RLS coverage as part of every schema migration.

Authentication

Supabase Auth handles email/password sign-in. Passwords are bcrypt-hashed by Supabase. Sessions are httpOnly secure cookies with SameSite=Lax. Two-factor authentication and SSO land alongside the M5 release.

AI providers

Receipt OCR, IRS-notice analysis, and response-letter drafting use Anthropic Claude. Brief tax-strategy summaries optionally use Google Gemini. Both providers operate under API agreements that prohibit training on customer inputs. We never send Social Security Numbers, bank credentials, or unredacted tax-ID numbers to any AI provider; only the minimum context required for the requested task.

Webhooks

Inbound webhooks (Shopify, Stripe) are validated with HMAC signatures using a constant- time compare before any payload is parsed. Unsigned or mismatched payloads are rejected with 401 and never logged.

Auditability

Every change to a tax recommendation, IRS-notice draft, or compliance obligation records a timestamp, the actor, and (when applicable) the model version. Customers can export their full audit trail via Settings.

Disclosure policy

Found a vulnerability? Email [email protected]. We respond within 2 business days and treat reports under safe-harbor terms — no legal action against good-faith security research that respects user privacy.