Encryption
At Rest — AES-256
All data persisted to disk — invoices, ledgers, payroll records, GST filings, bank statements — is encrypted using AES-256-GCM via Supabase's managed PostgreSQL infrastructure. Encryption keys are managed by the infrastructure provider and rotated automatically.
In Transit — TLS 1.3
Every connection between your browser (or the corpus desktop app) and our servers is encrypted with TLS 1.3. Older protocol versions (TLS 1.0, 1.1) are rejected. HTTP traffic is automatically redirected to HTTPS with HSTS headers enforced.
Tenant Isolation & Row Level Security
corpus uses a single shared database with strict PostgreSQL Row Level Security (RLS) policies. Every table that holds financial data has a company_id column. RLS policies enforce that every query — no matter which user or API key initiates it — can only see and modify rows belonging to their own organization.
Database-enforced, not application-enforced
Isolation is enforced at the PostgreSQL engine level. Even if application code contains a bug, the database rejects unauthorized row access before returning any data.
Verified at every query
RLS policies execute on every SELECT, INSERT, UPDATE, and DELETE. There is no query path that bypasses them — including direct SQL access.
Zero cross-tenant data leakage
Your invoices, ledgers, and payroll data are invisible to other corpus customers. The database does not contain any shared lookup tables that could expose organization names or identifiers.
Multi-company users
CAs managing multiple clients get separate authorization tokens per company. Switching companies re-validates the session against RLS — it is not a client-side permission switch.
Access Controls & Role Permissions
corpus implements role-based access control (RBAC) with four built-in roles. Admins can create custom roles with granular module-level permissions.
| Role | Read | Write | Delete | Admin Settings | Billing |
|---|---|---|---|---|---|
| Owner | ✓ | ✓ | ✓ | ✓ | ✓ |
| Admin | ✓ | ✓ | ✓ | ✓ | — |
| Accountant | ✓ | ✓ | — | — | — |
| Viewer | ✓ | — | — | — | — |
Session Management
15-minute access tokens, 30-day refresh tokens with automatic rotation. Each session is associated with a registered device. Global sign-out terminates all active sessions immediately.
Device Registry
Every login registers the browser fingerprint, IP address, and approximate location. Users can see all active sessions and revoke individual devices from Settings → Security.
Impossible Travel Detection
Logins from two geographically distant locations within one hour trigger a security alert and optional session freeze.
Brute-Force Protection
Failed login attempts are rate-limited and locked after repeated failures. Supabase Auth enforces exponential back-off on authentication endpoints.
Audit Logging
Every action that modifies financial data — voucher creation, invoice deletion, user permission changes, GST filing initiations — is written to an immutable audit log. The log is append-only: rows can never be updated or deleted by application code, and it is governed by strict RLS policies that permit only inserts.
Each audit entry records:
- ·Who performed the action (user ID, name, email)
- ·What changed (table, row ID, before/after values)
- ·When it happened (UTC timestamp, immutable)
- ·Where from (IP address, device fingerprint, approximate location)
- ·Result (success, failure, permission denied)
Security event log
Authentication events (login, logout, MFA failures), device registrations, session revocations, and suspicious activity flags are tracked in a separate security_events table with a 90-day hot retention and 7-year cold archive.
In-app access
Admins can view the full audit log from Settings → Audit Log, with filters by user, date range, and action type. The log can be exported to CSV for external review or compliance purposes.
Backup Policy & Disaster Recovery
≤ 1 hour
Recovery Point Objective (RPO)
Maximum data loss in the event of a catastrophic failure. Point-in-time recovery gives us 1-minute granularity on the last 30 days.
≤ 4 hours
Recovery Time Objective (RTO)
Maximum downtime from a major incident to full service restoration, including data restoration and verification.
Daily automated backups
Full database snapshots are created every 24 hours and stored in geographically redundant object storage. Backups are encrypted at rest with separate keys from the primary data store.
Point-in-time recovery (PITR)
WAL (Write-Ahead Log) streaming enables recovery to any point within the last 30 days with 1-minute granularity. This means even a ransomware attack or mass accidental deletion is recoverable.
30-day hot retention
The last 30 days of daily backups are retained in warm storage for rapid restoration. Older backups move to cold storage for the duration required by Indian accounting law (7 years).
Restoration procedure
A restore request from an admin triggers our incident response workflow. We restore to a staging environment first to verify data integrity, then promote to production. Users are notified of restoration status via email and in-app.
Cross-region redundancy
Production data is replicated asynchronously to a secondary region. In the event of a primary data center outage, traffic can be failed over with minimal interruption.
Your Data. Your Property.
We believe your financial records belong to you — not to us. This is not a policy buried in legal text; it is a structural commitment backed by technical controls.
You own your data
All invoices, ledgers, payroll records, bank statements, and GST filings you create or import are your property. We are a custodian, not an owner.
We never sell your data
Your financial data is never sold, licensed, or shared with third parties for advertising, profiling, or commercial purposes. Period.
Export at any time
You can export your complete data — invoices, ledgers, reports — in CSV, Excel, or JSON formats from any screen, at any time, without needing to contact support.
Request deletion
Email hello@corpuserp.com to request full account and data deletion. We will confirm within 7 days and complete deletion within 30 days, subject to legal retention obligations under Indian law.
Retained after cancellation
Cancelling your subscription does not delete your data immediately. You retain read-only access for 30 days to export everything you need.
No AI training on your data
We use AI to power features for you. Your financial data is never used to train general-purpose models or shared with AI providers for anything beyond processing your own requests.
Service Status
Real-time uptime and incident history for all corpus services — API, authentication, sync, AI features, and compliance integrations.
Security questions?
Our security team responds within 2 business days. For vulnerability disclosures, email us directly.