Security
Last revised: April 2026
Filemark processes sensitive corporate tax data for Canadian accounting firms. This page lists the controls we have in place today. For further details, contact security@filemark.ca.
AI Privacy
- Customer data is never used for model training.
- Filemark takes steps to ensure no sensitive data is sent to the AI model.
- Every AI call is logged with model, inputs, outputs, token usage, and latency.
Data Protection
- Encryption in transit: TLS on every connection, with HSTS preload.
- Encryption at rest: AES-256 on database and file storage.
- Tenant isolation: Row-Level Security enforces per-organization access on every table and storage bucket.
Authentication & Access
- Authentication via Supabase Auth with email and password.
- Multi-factor authentication (TOTP / authenticator app) available.
- Sessions validated server-side; tokens are short-lived and rotated automatically.
- Idle sessions are automatically signed out after 30 minutes of inactivity.
- Sign-in, sign-up, and all API endpoints are rate-limited.
Audit Logging
- User actions logged for file uploads, exports, AI runs, and document scraping.
- Every AI call logged with model, inputs, outputs, token usage, and latency.
- Authentication events tracked via Supabase’s built-in auth audit log.
- Audit logs are organization-scoped.
Infrastructure
- Application hosting on AWS App Runner (ca-central-1, Canada).
- Database, authentication, and file storage hosted on Supabase (AWS ca-central-1, Canada).
- AI inference via AWS Bedrock using the US inference profile. Requests route across ca-central-1, us-east-1, us-east-2, and us-west-2. AWS does not retain or train on inference content, and only account names and amounts are sent.
- Transactional email via AWS SES (ca-central-1).
Subprocessors
We use the following third-party services to operate Filemark:
| Company | Purpose |
|---|---|
| Supabase | Database, authentication, file storage |
| Anthropic | AI model provider (accessed via AWS Bedrock) |
| AWS App Runner | Application hosting (ca-central-1) |
| AWS Bedrock | AI inference |
| AWS SES | Transactional email (ca-central-1) |
Compliance & Certifications
Filemark is committed to industry standards and compliance:
- SOC 2 Type II – Implementing required controls (audit planned)
- ISO 27001 – Implementing required controls (audit planned)
- Data processing agreements (DPA) available on request
Responsible Disclosure
We encourage coordinated vulnerability disclosures. If you believe you have found a security issue in Filemark, please contact us at security@filemark.ca.
We commit to:
- Acknowledging reports within 5 business days.
- Investigating promptly and keeping you informed of progress.
- Not pursuing legal action against good-faith security researchers.