Last updated: January 1, 2025 ? Effective for all ProDeskCPA users
ProDeskCPA collects information you provide directly: firm name, contact details, team member information, client data entered by your firm, financial engagement data, and billing information. We also collect usage logs and session data needed to operate the platform.
We do not sell your data to third parties. Ever.
All data is stored on Supabase-managed PostgreSQL databases hosted on AWS. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Sensitive fields (API keys, vault passwords) are encrypted with AES-256-GCM at the application layer. Backups are taken daily with 30-day retention.
SSNs and EINs are encrypted at the application layer before storage. Client portal passwords are hashed with bcrypt (cost factor 12). We conduct annual security reviews and follow OWASP Top 10 guidelines.
We share data only with sub-processors necessary to deliver the service: Supabase (database), Vercel (hosting), SendGrid (email), Stripe/Razorpay/PayPal (payments), and AI providers you explicitly connect. Each sub-processor is bound by data processing agreements.
Active firm data is retained for the duration of your subscription plus 90 days. Upon account closure, data is soft-deleted immediately and permanently purged after 90 days. You may request immediate deletion by contacting support@prodeskcpa.com.
You have the right to access, correct, export, and delete your data. To exercise these rights, contact support@prodeskcpa.com. We respond within 30 days. For California residents, CCPA rights apply including the right to know and the right to opt out of sale (we do not sell data).
Data Controller: ProDeskCPA ? support@prodeskcpa.com
For security disclosures: security@prodeskcpa.com