Residual Genius

Security & data handling

Residual Genius · Residual Genius LLC · 101 N J St, Suite 2, Lake Worth Beach, FL

Last updated June 20, 2026

Purpose

This page summarizes how Residual Genius, operated by Residual Genius LLC (101 N J St, Suite 2, Lake Worth Beach, FL), protects financial and operational data you entrust to the platform. It is a high-level overview, not a certification or guarantee. Formal policies and agreements should be finalized with legal and security counsel.

Data classification

  • Residual & Schedule A files, sensitive financial data; stored in org-scoped Supabase storage and database rows.
  • Reconciliation outputs, variance calculations, flagged line items, audit history, tenant-isolated per organization.
  • Credentials, managed by Supabase Auth; passwords hashed by the identity provider, not stored in plain text by us.

Access control

  • Organization-scoped data access with role-based permissions (viewer read-only, agent, org admin, platform admin).
  • Row Level Security (RLS) on Supabase tables where configured.
  • Server-side org resolution on authenticated API routes, clients cannot arbitrary-switch tenant context without authorization.

Encryption & transport

Data in transit uses TLS (HTTPS). Data at rest is encrypted by our cloud providers (Supabase, Vercel) per their platform standards. We do not offer customer-managed encryption keys in v1. SOC 2 attestation is not claimed on this page; contact us for current security documentation.

AI & third-party processing

AI-assisted features send file excerpts or structured prompts to model providers strictly to perform parsing and reconciliation tasks. API keys are stored as environment secrets, not in client code. Disable AI features if your compliance program prohibits specific subprocessors.

Payments

Subscription billing runs through Stripe. Card data is collected by Stripe's PCI-compliant flows; we receive tokens and subscription status, not raw card numbers. Production billing should remain in Stripe test/live mode per deployment policy.

Incident response

We investigate suspected unauthorized access and notify affected customers as required by law. Report security concerns to info@cardsmart.io.

Your responsibilities

  • Use strong passwords and limit account sharing.
  • Upload only data you are authorized to process.
  • Review AI-generated findings before external communication.
  • Remove access for departed team members promptly.