Trust Center
How WriteupOS protects your firm's data and your clients' transactions.
Last updated: April 16, 2026
At a Glance
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit. Your data is encrypted at every layer.
Database-level isolation
Row-Level Security ensures Firm A cannot see Firm B's data, ever.
SOC 2 compliant infrastructure
Built on Supabase, Vercel, Clerk, Stripe, Anthropic — all SOC 2 Type II.
Zero AI training
Anthropic ZDR enabled. Your client data is never used to train models.
§7216 ready
Designed to support preparers' Section 7216 compliance obligations.
Audit trail of everything
Every access, edit, and payment is logged for 7 years.
Certifications & Compliance
| Standard | Status | Details |
|---|---|---|
| SOC 2 | In Preparation | Pre-audit readiness via infrastructure provider compliance. Targeting Type I in next 12 months as revenue justifies. |
| PCI DSS | Out of Scope | WriteupOS does not store, process, or transmit cardholder data. All payment processing is handled by Stripe (PCI DSS Level 1 certified). |
| HIPAA | N/A | — |
| GDPR | Principles Followed | Not formally certified. We honor data subject rights including access, correction, and deletion. |
| CSA STAR | Self-Assessment Published | CAIQ-Lite self-assessment available below. |
Encryption
At Rest
AES-256 encryption via Supabase (managed PostgreSQL).
Backups: Encrypted. Per Supabase default — point-in-time recovery available.
In Transit
TLS 1.3. All connections to writeupos.com and all internal API calls.
Access Control & Multi-Tenancy
Every database query is filtered by your firm ID. Even if there were a bug in our application code, the database itself enforces the boundary. Row-Level Security (RLS) policies on every table containing firm data. Migration 042 tightened all RLS to firm_id-scoped conditions. Defense in depth — service_role bypasses RLS at the database layer, but apiGuard() enforces firm scoping at every API boundary.
Authentication: Clerk (SOC 2 Type II certified). MFA available for end users. Session management, password requirements, and account recovery all handled by Clerk.
Audit logging: Every access, edit, payment, and security event logged to security_audit_log table. Retained for 7 years.
Data Handling
CSV Files
Uploaded CSV files are parsed in memory and immediately discarded. We do not retain the original file.
PDF Files
Uploaded PDF files are sent to DocuClipper for OCR extraction, then discarded. DocuClipper's data handling is governed by their own SOC 2 Type II policy.
Transaction Data
Stored in encrypted Supabase database, scoped to the uploading firm via RLS. Available for export or deletion at any time via Settings > Data Management.
Bank Account Numbers
Stripped from CSV transaction descriptions during import. We do not retain account numbers in any form.
AI Processing
Transaction descriptions sent to Anthropic Claude API for categorization. Anthropic Zero Data Retention is enabled at the organization level — Anthropic does not store transaction data and does not use it for model training.
Server Logs
Retained 90 days, then automatically purged.
Analytics
Google Analytics — only loaded after explicit cookie consent. No transaction data is sent to Google. Aggregate event counts only.
Deletion
Self-service deletion at Settings > Data Management. Account-level deletion request fulfilled within 30 days.
Sub-Processors
These third-party services process data on behalf of WriteupOS. For a standalone PDF version, download the Sub-Processor List.
Supabase
Privacy- Purpose
- Database hosting (PostgreSQL)
- Data Access
- All firm and transaction data, encrypted at rest
- Certifications
- SOC 2 Type II
- Region
- United States
Vercel
Privacy- Purpose
- Application hosting
- Data Access
- Web traffic metadata (IP, headers). No transaction content cached.
- Certifications
- SOC 2 Type II
- Region
- United States
Clerk
Privacy- Purpose
- Authentication
- Data Access
- User credentials, session data. No client transaction data.
- Certifications
- SOC 2 Type II
- Region
- United States
Stripe
Privacy- Purpose
- Payment processing and subscription billing
- Data Access
- Payment method, billing details, subscription information (tier, renewal dates, billing history). No client transaction data.
- Certifications
- PCI DSS Level 1SOC 2 Type II
- Region
- United States
Anthropic
Privacy- Purpose
- AI categorization (Claude API)
- Data Access
- Transaction descriptions only (e.g., 'SYSCO FOODS #4521 $347.22'). Zero Data Retention enabled — not stored, not used for training.
- Certifications
- SOC 2 Type II
- Region
- United States
DocuClipper
Privacy- Purpose
- PDF bank statement OCR
- Data Access
- Uploaded PDF content during processing only. May include client name and account number as printed on statement.
- Certifications
- SOC 2 Type II
- Region
- United States
Resend
Privacy- Purpose
- Transactional email
- Data Access
- Recipient email address, email content (notification copy). No transaction data.
- Certifications
- SOC 2 Type II
- Region
- United States
Google Analytics
Privacy- Purpose
- Website analytics (consent-gated)
- Data Access
- Aggregate page views, session metadata. No PII or transaction data.
- Certifications
- ISO 27001
- Region
- United States
For Tax Preparers
IRC Section 7216
WriteupOS is a third-party processor under IRC §7216. Tax preparers using WriteupOS to process client transaction data should obtain client consent in accordance with §7216 and Treasury Regulations §301.7216-3. We provide a downloadable §7216 consent template (see Documents below).
Download consent templateCircular 230
WriteupOS is a categorization assistant. The tax preparer remains responsible for reviewing every categorization and for the accuracy of the final return, consistent with Circular 230 due diligence standards.
IRS Publication 4557
We have implemented administrative, technical, and physical safeguards consistent with IRS Publication 4557 'Safeguarding Taxpayer Data' — including written information security plan elements, encryption, access controls, audit logging, and incident response procedures.
Gramm-Leach-Bliley Act
WriteupOS recognizes that tax preparers are 'financial institutions' under the Gramm-Leach-Bliley Act Safeguards Rule. We provide encryption, access control, and breach notification procedures designed to support preparers' GLBA compliance obligations.
California Automatic Renewal Law
WriteupOS's annual subscription program is designed to comply with California's Automatic Renewal Law (Cal. Bus. & Prof. Code §17600 et seq., as amended effective July 1, 2025). We provide clear and conspicuous disclosure of subscription terms before checkout, obtain express affirmative consent to recurring charges, send acknowledgment emails after subscription activation, provide a 15-day pre-renewal reminder, and offer one-click online cancellation through the Stripe Billing Portal — the same medium used to subscribe. Records of subscription consent (terms version and acceptance timestamp) are retained for at least three years after termination. Relevant to firms whose team members include California residents.
Incident Response & Vulnerability Disclosure
Detection: Anomalous access logging, rate limit alerts, security audit log review.
Breach notification: If a breach affecting firm data occurs, we will notify affected firms by email without unreasonable delay, in accordance with applicable state breach notification laws, which vary based on the residence of affected individuals. Notification will describe the nature of the breach, the types of data involved, remediation steps taken, and guidance regarding your obligations to notify affected clients under IRS regulations and applicable state law.
Responsible Disclosure
Security researchers may report vulnerabilities to security@writeupos.com. We commit to acknowledging reports within 2 business days and will not pursue legal action against good-faith researchers who comply with our disclosure policy.
Business Resilience
Uptime: Vercel + Supabase managed infrastructure with automatic failover within their service regions.
Backups: Database backups via Supabase's built-in point-in-time recovery (PITR).
RTO/RPO: Best-effort recovery — formal RTO/RPO commitments will be added with SOC 2 Type I.
Documents
Security Overview
4-page summary for procurement teams
§7216 Consent Template
Client consent form for tax preparers
Data Processing Agreement
Standard DPA for firms requiring a signed agreement
Sub-Processor List
Standalone list for vendor approval workflows
CAIQ-Lite Self-Assessment
Cloud Security Alliance questionnaire response
Vulnerability Disclosure Policy
How to report security vulnerabilities
Questions?
Procurement question? Compliance review? We respond within 2 business days.
security@writeupos.com(240) 981-9661 · 8401 Mayland Dr #10381, Richmond, VA 23294