SECURITY
We are built to hold as little of your sensitive data as possible.
This page describes what ResidencyIQ does today, plainly, including where our security program is still incomplete. Where something is on the roadmap rather than live, we say so.
The pointer + fingerprint model
Your documents can stay where they already are: your Google Drive, your Dropbox, your CPA’s office. Instead of taking custody of the file, ResidencyIQ can store a reference to where it lives and a cryptographic fingerprint (SHA-256) of the details you provide about it.
Live today
Reference-level fingerprinting.
When you log a document by reference (its storage provider, location, and the details you enter about it) instead of uploading it, we compute a SHA-256 fingerprint of that reference record and timestamp it. This proves what you asserted, and when, without our ever holding the file.
On the roadmap, not live yet
Content-level fingerprinting.
Fingerprinting the actual bytes of a file you link from Google Drive or Dropbox, so we can prove the document’s content itself hasn’t changed and not just that you referenced it, requires a direct integration (Drive Picker, Dropbox API) we have not shipped yet. Until it ships, treat today’s fingerprint as evidence of what was asserted and when, not as proof the linked file’s contents are unaltered.
Tamper-evidence
A fingerprint is only as trustworthy as the clock it’s attached to. If the only record of when a fingerprint was created lives in our own database, you’re trusting us not to have altered it. That’s a real limitation, and we’d rather name it than gloss over it.
Live today
Fingerprint + timestamp, in our system of record.
Every evidence fingerprint is stored with a creation timestamp in our production database, protected by the access controls and encryption described below.
Live today
Independent, blockchain-anchored timestamping.
Nightly, we aggregate new evidence fingerprints into a Merkle tree and anchor the resulting root to two independent timestamp services: OpenTimestamps (blockchain-anchored) and an RFC 3161 timestamp authority. Neither we nor you can silently backdate or alter a record after that point. Every year-end report includes a verification link, so anyone, including your CPA or an auditor, can check it independently.
Infrastructure and Vendors
What we run on, and who we trust it to.
Encryption in transit
All traffic to residencyiq.app is served over TLS.
Encryption at rest
Application data is stored in a managed Postgres database (Render) with encryption at rest.
Authentication
Clerk, a SOC 2 Type II–audited identity provider. We do not store your password.
Payments
Stripe, a PCI-DSS Level 1 certified payment processor. We never see or store your full card number.
Hosting
Render.
Bank connections (planned, not yet live)
When available, bank and card transaction data will connect read-only through Plaid’s standard token-exchange flow. We will never receive or store your banking credentials.
Compliance Roadmap
Where we stand, without the badges we haven’t earned.
SOC 2
Not started
We have not engaged an auditor and have no SOC 2 report today. A formal audit is on our roadmap as ResidencyIQ scales past early access; we will update this page the day that changes, not before.
FTC Safeguards Rule
Self-assessed program
We are not a financial institution, but we design our administrative, technical, and physical safeguards to align with the Safeguards Rule’s risk-based standard. This is a self-assessment, not a third-party certification.
CCPA / CPRA sensitive data rights
Live today
Precise geolocation is treated as Sensitive Personal Information for every user, with a working Limit-the-Use request path.
Your data, on your terms
Export your evidence and records from your workspace at any time. If you cancel your subscription, you have 90 days to complete an export before evidence records become subject to deletion under our retention schedule.
You can also request deletion of your evidence records earlier than our standard retention period. We’ll walk you through the consequences first: deleted evidence can’t be reconstructed if a state later audits a tax year that record would have supported, so we’ll ask you to confirm you understand before we proceed.
Read our full retention and deletion policy →Found a security issue?
If you believe you’ve found a vulnerability in ResidencyIQ, please report it to us directly before disclosing it publicly. We will acknowledge your report and work with you in good faith to understand and address it.
security@residencyiq.app
Disclaimer
ResidencyIQ is not a law firm, CPA firm, or tax advisor, and this page is not a security certification, audit report, or legal representation. It describes our current practices as of the date this page was last updated and will be revised as our infrastructure and compliance program change.

