Security at ReturnBooks
ReturnBooks is private business recordkeeping software. This page describes the controls we have today, what is on the roadmap, and what ReturnBooks deliberately does not do.
Last updated: May 2026 · Pre-launch draft. Not legal advice.
Overview
ReturnBooks is built so that each company's records are isolated from every other company. Authentication is required for the app, file uploads land in a private bucket scoped to your company, and the app never exposes long-lived public links to your files.
Account and authentication
- Sign-in uses email and password backed by an established authentication provider.
- Passwords are never stored in plain text by ReturnBooks. Password resets go through a verified email link.
- Every protected page checks the session before rendering and redirects unauthenticated users to sign in.
Company-scoped data with row-level security
Every record table — receipts, statements, invoices, income, expenses, payroll documents, categories — carries a company identifier. Reads and writes are filtered by that identifier using row-level security policies enforced at the database layer. Server actions re-check the caller's company on every authenticated write, so even an authenticated user from one company cannot reach another company's rows.
Private file storage
- Uploaded files live in a private storage bucket. There is no public listing and no public link.
- File paths are scoped per company so a file cannot be moved outside its company by URL manipulation.
- When you open a file in the app, the server generates a short-lived signed URL that only your authenticated session can use. The URL expires quickly and cannot be shared as a permanent link.
Bank connections (read-only)
- Connecting a bank is optional. ReturnBooks uses Plaid for read-only transaction import and never receives or stores your bank login credentials — Plaid handles the sign-in.
- The read-only access token Plaid issues is stored encrypted on the server, never shipped to the browser, and never logged.
- When you disconnect, ReturnBooks asks Plaid to remove our access (item/remove) where supported, deletes the stored access token, and stops future syncing.
- We keep data only as long as needed to provide the service, meet legal obligations, resolve disputes, and prevent abuse. You can request account or data deletion through support.
Admin tools
ReturnBooks has internal admin pages for operating the service. Admin pages are gated by a server-side active-admin check on every request. Sensitive admin actions go through database routines that re-verify the caller is an active admin before running. Admin access is logged.
What ReturnBooks does not do
- Does not ship the database service-role key to the browser. Privileged credentials stay on the server.
- Does not expose long-lived public URLs to uploaded files.
- Does not store full credit card numbers, bank account numbers, or government ID numbers as features.
- Connects to your bank only if you opt in, for read-only transaction import; does not hold, move, transfer, or process money, does not file taxes, and does not run payroll.
- Is not intended for protected health information (PHI). Do not upload PHI.
AI and OCR extraction
AI-assisted extraction runs on the server, never in the browser, and uses server-only credentials. Extracted fields are shown to you for review and are not auto-saved as records without your action. See the Privacy page for what is sent to extraction providers.
Responsible disclosure
If you believe you have found a security issue, please report it through the Support page. A dedicated security contact and disclosure policy will be added before public launch. We ask that you avoid testing against other companies' data, do not download or modify data you do not own, and give us reasonable time to investigate and remediate.
Security roadmap
We are still pre-launch. The items below are planned, not shipped, and we will not claim them until they are real and verifiable:
- Hardened native mobile experience — see the internal native readiness checklist; native dependencies are not added yet.
- AI Guardian review controls layered on top of extraction.
- Production billing with secure payment flows and webhooks.
- Expanded audit logging for sensitive operations.
- Formal independent security review.
We do not currently hold a SOC, HIPAA, or PCI attestation and do not claim one. We will update this page if and when independent attestations are obtained.
Contact
Security questions and disclosure reports: a dedicated security contact will be added before public launch. In the meantime, please use the Support page to reach us.