Skip to main content

Security and Data Handling

Questions about how TidalForms protects your data and handles document security.

Q: How is my data encrypted?

All data is encrypted both at rest and in transit. Documents stored in Supabase Storage use server-side encryption. Network traffic between your browser and our servers uses TLS 1.2 or higher.

Encryption keys are managed by the hosting infrastructure and rotated according to security best practices.

Q: Where is my data stored?

Document files and database records are hosted on Supabase infrastructure, which runs on AWS. Data remains within your designated region and is subject to the data protection controls of that environment.

Each firm's data is isolated using Row Level Security (RLS) policies. Your documents are not visible to users from other organizations.

Q: Who can access my documents?

Access is limited to users within your firm who have been granted appropriate permissions. Firm administrators control team membership and role assignments. The RLS layer enforces firm-level isolation at the database level.

Support staff may access data only when troubleshooting issues you report, and only with your acknowledgment.

Q: How long do you retain my documents?

Every document defaults to a 30-day lifespan. You will get automated warnings at 7, 3, and 1 days before expiration and you can extend the retention period as needed. Documents can be deleted at any time from within the application. Deleted documents are removed from active storage.

For specific retention policies or data deletion requests, contact your firm administrator or reach out to support.

Q: Is my data used to train AI models?

No. Your tax documents and extracted data are not used to train machine learning models. OCR processing uses Azure Document Intelligence, which processes your documents for extraction purposes only. Your data remains yours.

Q: What authentication does TidalForms use?

TidalForms uses cookie-based session authentication with Better Auth. Sessions use HTTP-only cookies with CSRF protection. Sessions expire after 7 days of inactivity and refresh automatically during active use.

Multi-factor authentication options may be available depending on your firm's configuration.

Q: How do I report a security concern?

If you discover a potential security vulnerability or have concerns about data handling, contact the security team immediately. Do not disclose potential vulnerabilities publicly until they have been addressed.

For general data access questions, contact your firm administrator first. They can address most permission and access concerns directly.

Q: What happens to my data if I leave my firm?

When your account is removed from a firm workspace, your access to that firm's documents ends immediately. The documents remain with the firm. You cannot retrieve data after access is revoked.

If you move to a new firm using TidalForms, you will have a separate account tied to the new organization.

Q: Are there compliance certifications I should know about?

TidalForms is built on infrastructure that maintains SOC 2 compliance. The underlying storage and compute services follow industry security standards. For specific compliance questions related to your use case, contact support to discuss your requirements.