Privacy Policy
Effective April 22, 2025
FileValet is an invitation-only document vault built for CPA firms and their clients. We handle sensitive taxpayer information (SSTI) and understand that trust is non-negotiable. This policy explains what data we collect, why we collect it, how we protect it, and how long we keep it — in plain language.
1. What we collect
Account data: Name, email address, and organization membership provided during invitation acceptance. We do not support self-registration; all accounts are created by an authorized Organization Admin.
Authentication credentials: Passkey public keys (WebAuthn) and email OTP tokens. Passkey private keys never leave your device. We store only the public credential.
Documents and files: Files you upload are stored in encrypted AWS S3 buckets. We retain file content, metadata (name, size, upload timestamp), and access audit logs.
Audit and access logs: Every file view, download, upload, and share event is logged with a timestamp and user identifier. These logs are required for IRS Pub 4557 compliance and cannot be disabled.
Technical metadata: IP address, browser user-agent, and request timestamps for security monitoring. We do not use third-party analytics trackers.
2. How we use your data
- Providing secure document exchange between your CPA firm and clients
- Authenticating users and enforcing role-based access (Admin, Staff, Client)
- Generating audit trails required by IRS Pub 4557 and FTC Safeguards Rule
- Scanning uploaded files for malware (AWS GuardDuty Malware Protection for S3)
- Service notifications (upload complete, document shared) sent to verified email addresses
We do not sell, rent, or share your data with advertisers. We do not use your data to train machine learning models.
3. Data retention — IRS Pub 4557
IRS Publication 4557 (Safeguarding Taxpayer Data) requires tax preparers to retain taxpayer information for a minimum of seven years. FileValet enforces this through a soft delete architecture: records are marked with a deleted_at timestamp and hidden from all views, but the underlying data is preserved and recoverable by your Organization Admin for the full retention period.
After the seven-year window expires, data may be permanently removed upon written request from the Organization Admin. We do not hard-delete records during the mandatory retention period under any circumstances.
4. Tenant isolation and data separation
Every record in FileValet carries an organization_id. PostgreSQL Row Level Security (RLS) with FORCE ROW LEVEL SECURITY is active on every tenant-isolated table, including those accessed by privileged database roles. This means the database engine itself — not application logic — enforces that queries from one organization can never read or modify another organization's data.
Staff members within an organization only see data for clients explicitly assigned to them. Clients see only their own records.
5. Encryption
- In transit: All data moves over TLS 1.2+. File uploads use browser-direct presigned S3 URLs — documents never pass through our application servers.
- At rest: All files are encrypted using AWS S3 Server-Side Encryption (SSE-S3, AES-256). Database data is encrypted at rest in Neon’s managed Postgres service.
- Authentication secrets: Passkey credentials use WebAuthn (public-key cryptography). Session tokens are short-lived, server-managed, and never exposed to client-side JavaScript.
6. Third-party sub-processors
| Vendor | Purpose | Data shared |
|---|---|---|
| AWS S3 + GuardDuty | File storage + malware scan | Encrypted file content |
| Neon | Serverless Postgres | All database records |
| Railway | Application hosting | Request metadata only |
| Resend | Transactional email delivery | Recipient email address, message content |
| Upstash | Rate limiting (Redis) | Hashed IP or user identifier, request counters |
| Sentry | Error monitoring | Stack traces (PII-stripped) |
7. Your rights
You may request access to, correction of, or deletion of your personal data at any time, subject to mandatory retention obligations under IRS Pub 4557. Deletion requests for SSTI records within the seven-year window will be deferred to the expiry of that period.
Contact your Organization Admin or email us at privacy@filevalet.app.
8. Changes to this policy
We will notify Organization Admins by email of any material changes to this policy at least 14 days before they take effect. Continued use of FileValet after that date constitutes acceptance.
Email privacy@filevalet.app or contact your Organization Admin.