Trust & Safety

Security at
BookBalance.io

Your financial data is sensitive. Here is exactly how we protect it, who can access it, and what we do when something goes wrong.

Last updated March 2026
On this page
  1. Infrastructure & Hosting
  2. SOC 2 Certification
  3. Encryption
  4. Access Controls
  5. Shared Responsibility
  6. Your Data
  7. Book990 App Security
  8. Incident Response
  9. Common Questions
  10. Contact Us
🔒

Encrypted in Transit

All data between your browser and our servers is encrypted via TLS 1.2 or higher. We enforce HTTPS on every endpoint.

🏦

Isolated Storage

Each user's data is logically isolated using row-level security. No user can access another user's records.

🌍

SOC 2 Infrastructure

Our cloud infrastructure runs on Supabase and Vercel, both of which maintain SOC 2 Type II certifications.

SOC 2 Certification

Built on SOC 2 Type 2
Certified Infrastructure

BookBalance.io stores and processes all data on Supabase, a cloud infrastructure provider that holds SOC 2 Type 2 certification -- the highest level of independent security audit for cloud platforms, conducted by a third-party auditor every year.

Infrastructure
SOC 2
Type 2 · Annual Audit
Powered by Supabase

What this means for your organization

SOC 2 Type 2 is not a one-time snapshot. An independent auditor reviews Supabase's controls over time and confirms they meet the Trust Services Criteria -- covering security, availability, processing integrity, confidentiality, and privacy. The audit repeats annually.

This means the infrastructure your nonprofit's financial data sits on is independently verified, not just self-certified.

View Supabase security documentation →

Important distinction: Supabase's SOC 2 certification covers the infrastructure layer -- the servers, storage, and network. BookBalance.io has not independently completed its own SOC 2 audit. We are transparent about this. If your board or auditor requires a SOC 2 report, contact us and we will provide Supabase's compliance documentation and a written summary of our own controls.

Section 1

Infrastructure & Hosting

BookBalance.io and the Book990 application are hosted on Vercel's global edge network. All application data is stored in Supabase, a managed Postgres database platform hosted on AWS in the US East (Northern Virginia) region.

Both Vercel and Supabase maintain SOC 2 Type II compliance, ISO certifications, and enterprise-grade physical security at their data centers. We do not operate our own servers or data centers.

Vercel — Edge network, DDoS protection, automatic TLS certificate provisioning
Supabase — Managed Postgres on AWS, automated backups, SOC 2 Type II, point-in-time recovery
No self-hosted servers — We rely exclusively on enterprise-grade managed infrastructure
Section 2

Encryption

All data transmitted between your browser and our services is encrypted using TLS 1.2 or higher. We do not support older, insecure protocols such as SSLv3 or TLS 1.0.

Data stored in our database is encrypted at rest by Supabase using AES-256. Database backups are also encrypted at rest and retained for point-in-time recovery.

Passwords are never stored in plain text. User authentication is handled entirely by Supabase Auth, which uses bcrypt hashing. We never have access to your raw password at any point.

Section 3

Access Controls

Access to your data is enforced at the database level using Postgres Row Level Security (RLS). Every query against the database includes a user-scoped policy that prevents any user from reading or writing records that do not belong to them.

Row Level Security — Every table in our database has RLS enabled. Policies are enforced at the Postgres level, not just the application layer.
Least-privilege API keys — Our client-side application uses a restricted anon key. It cannot access any data without a valid authenticated user session.
Internal access — BookBalance staff access to the database is limited to named administrators. Access is logged and audited.
No shared credentials — Each administrator uses their own unique credentials. Shared passwords are prohibited.
Section 3b

Shared Responsibility

Security is a joint effort. Here is a clear breakdown of what BookBalance.io handles and what remains in your organization's control.

AreaBookBalance.ioYour Organization
Infrastructure security SOC 2 Type 2 certified via SupabaseNo action required
Data encryption (transit + rest) Handled automaticallyNo action required
Row-level data isolation Enforced at database levelNo action required
Account credentialsSecure storage, never plain text Use a strong unique password
User access managementRole-based permissions enforced Remove access when staff leave
Data accuracyValidation rules and compliance checks Review and approve entries
Device securitySessions expire on inactivity Lock devices, use trusted networks
Section 4

Your Data

We collect only the information necessary to provide our services. We do not sell, rent, or share your data with third parties for advertising or marketing purposes. See our Privacy Policy for a full description of what we collect and why.

Data portability — You can export your data at any time by contacting support@bookbalance.io.
Deletion on request — If you close your account, we will delete your data within 30 days of your written request.
No data brokering — We do not sell or share your financial information with data brokers, advertisers, or other third parties.
Backups — Your data is backed up daily by Supabase with point-in-time recovery available up to 7 days.
Section 5

Book990 App Security

Book990 is a web application for preparing Form 990 data. It is deployed at app.bookbalance.io as a separate, isolated application from the marketing site.

Authentication required — Every screen inside Book990 requires a verified user session. There is no unauthenticated access to any form data.
Email confirmation — New accounts require email verification before access is granted to the application.
Session management — Sessions expire automatically. Users are signed out after periods of inactivity.
No IRS transmission — Book990 is a data preparation and organization tool only. It does not file with the IRS or transmit your 990 data to any government system.
Auto-save encryption — All auto-saved data is transmitted over TLS and stored in your encrypted, RLS-protected user record.
Section 6

Incident Response

In the event of a security incident that affects your data, we will notify affected users by email within 72 hours of becoming aware of the incident. Our notification will describe what happened, what data was affected, what we have done to address it, and what steps you can take to protect yourself.

If you discover a security vulnerability in our products, we ask that you report it to us privately before disclosing it publicly. We are committed to investigating all reports promptly.

To report a security vulnerability, email support@bookbalance.io. Please include a description of the issue, steps to reproduce it, and your contact information. We will acknowledge receipt within 48 hours.

Common Questions

Security questions answered.

Is BookBalance.io itself SOC 2 certified?
BookBalance.io is not independently SOC 2 certified. Our infrastructure provider, Supabase, holds SOC 2 Type 2 certification. The servers, storage, and network your data runs on are audited annually -- but the certification belongs to Supabase, not to us. We are transparent about this distinction.
Can my board or auditor request information about our data handling?
Yes. Email support@bookbalance.io and we will provide a written summary of our data handling practices, infrastructure certifications, and data retention policies suitable for board review or audit documentation.
Where is my data stored geographically?
Your data is stored in Supabase's US East (Northern Virginia) data center on AWS. We do not store data on servers outside the United States.
Who inside BookBalance.io can access my data?
Only authorized team members with a documented business need can access production data, through authenticated and logged access. We do not access client data for sales, marketing, or any purpose other than providing or troubleshooting the service.
What happens to my data if I cancel?
Your data remains in our system for 30 days following account closure, during which you can request a full export. After that period, data is permanently deleted. We do not sell or transfer client data under any circumstance.
Is my financial data used to train AI models?
No. Your financial data is never used for AI training, product analytics, or any purpose unrelated to delivering the service to your organization.
Section 7

Questions & Contact

If you have questions about our security practices that are not answered here, please reach out. We are a small team and we take these matters seriously.

💬

General support

For account issues, data requests, and general questions:

support@bookbalance.io