Skip to main content
Demo mode, registration is bypassed for review. Not production behavior.

Trust

Security

How YBAWS Inc. (operating as Capital Toolkit) protects the financial data you entrust to us, and how to report a security issue.

Plain English, kept honest. This page describes the controls actually in place, not aspirations. When a control changes materially we update the date below. If something on this page is unclear or contradicts your experience, write to security@capitaltoolkit.com.

Last updated: May 4, 2026

How your data is protected

1. Encryption at rest

Sensitive credentials are encrypted with AES-256-GCM at the application layer before they reach the database. This includes OAuth refresh tokens for connected bookkeeping software (QuickBooks Online, Xero) and any other credential material we hold on your behalf. The encryption key is held in environment configuration and never written to the database, so a database export alone reveals nothing.

2. Encryption in transit

Every page and API request is served over HTTPS with HSTS. We do not accept plaintext HTTP connections.

3. Tenant isolation

Every CPA firm and every applicant is scoped by database-level row-level security. The platform enforces — in the database itself, not just in application code — that one firm cannot read another firm's clients, and one applicant cannot read another's files. Even a buggy query inside our own code base cannot leak across that boundary.

4. Audit trail

Every change to your data — uploads, deletions, status transitions, role grants, document downloads, integration connect and disconnect events — writes a row to an append-only audit log. The log records who acted, when, and what changed. We can answer “was this record ever modified, and by whom?” for any record on the platform.

5. Authentication

Sign-in uses Supabase Auth with magic-link email and optional time-based one-time-password (TOTP) two-factor. Two-factor is required to accept a delegated-access invitation; we are extending that requirement to all administrator accounts.

6. Authorization

Authorization checks (what each authenticated user is allowed to do) are enforced at the database, the API, and the UI. Browser-mutable user metadata is never trusted for authorization decisions.

7. Where your data sits

Application data and uploaded documents are stored in Supabase, on AWS Canada (Central) in Toronto. See Sub-processors for the full list of vendors that touch personal information, what data each one sees, and the region each one operates in.

8. Retention

We retain your application data while your account is active. On account closure, we delete personal information within thirty days unless retention is required by law (for example, anti-money-laundering or tax record-keeping obligations). Audit logs are retained for the life of the platform; they record who acted, not the document contents themselves.

9. Backups

Encrypted backups are taken automatically by our database provider. We periodically perform restore drills against a throwaway environment to confirm backups can actually be recovered — a backup that has never been restored is not a backup.

10. Vendor due diligence

We rely on a small set of audited vendors (listed at /sub-processors) for hosting, database, email, and AI features. We do not handle credit card numbers ourselves — payment processing, when applicable, goes through Stripe.

What happens when you connect QuickBooks or Xero

When you authorize Capital Toolkit to read from your bookkeeping software, we receive a refresh token from your bookkeeping vendor. That token is encrypted with AES-256-GCM before it is written to our database. The plain-text version never lands on disk. We use the token only to pull the data categories you authorized; we never push data back into your books unless you specifically opt in to a write feature, and those features are individually consented to per engagement.

You can disconnect a bookkeeping connection from Settings › Integrations at any time. On disconnect we revoke the token upstream with the vendor and stop refreshing the cached data immediately. Cached canonical data from the connection is purged on a scheduled cleanup after a short retention window.

Reporting a security issue

If you believe you have found a security vulnerability in any Capital Toolkit property — the marketing site, the apply funnel, the platform, the API, or our integrations — please email security@capitaltoolkit.com.

What to include: a description of the issue, the URL or endpoint affected, steps to reproduce, and (if known) the category of impact (data disclosure, privilege escalation, denial of service, etc.). Screenshots and short proof-of-concept scripts are welcome.

What we will do:

  • Acknowledge receipt within five business days.
  • Triage the report and respond with our assessment and an expected remediation window.
  • Keep you informed as the fix is built, deployed, and verified.
  • Credit you publicly (or anonymously, your preference) once a fix has shipped, if you would like.

Coordinated disclosure — what we promise

Capital Toolkit does not currently run a paid bug bounty program, but we welcome good-faith security research. We commit to the following:

  • We will not pursue legal action against researchers who act in good faith, do not exfiltrate or destroy data, do not degrade service for other users, and give us a reasonable opportunity to fix issues before disclosing them publicly.
  • We will not contact your employer, your school, or law enforcement on the basis of a good-faith report.
  • If you accidentally access data that does not belong to you, please stop, do not download or further access it, and tell us what happened — we will treat that as part of the report, not as misconduct.

Out of scope

  • Denial-of-service attacks, traffic flooding, or anything that degrades availability for legitimate users.
  • Social engineering of our employees, contractors, or customers.
  • Physical attacks against our offices or those of our vendors.
  • Vulnerabilities in third-party services we depend on — please report those to the vendor directly. We are happy to help you reach the right team.
  • Reports generated solely by automated scanners with no demonstrated impact.

Machine-readable disclosure policy

Our /.well-known/security.txt file follows RFC 9116 (opens in a new tab). Both the marketing site (capitaltoolkit.com) and the platform (app.ybaws.com) publish a security.txt that points back to this page.

More information

For privacy-related requests (access, correction, deletion of your personal information), see the Privacy Policy or use the data request form. For general questions, write to contact@capitaltoolkit.com. For security-specific reports, use security@capitaltoolkit.com.