Institutional vendor review
Vendor review: security, isolation, and data handling for financial institutions
This page supports vendor review for banks, credit unions, and other financial institutions evaluating Residual Genius, operated by Residual Genius LLC. It is distinct from our agent-facing data security overview. We describe current practices honestly and do not claim certifications we have not earned.
Tenant isolation and data ownership
Customer data is scoped to a single organization identifier. Residual uploads, reconciliation outputs, contract schedules, and audit history are not visible to other customers through normal product paths. Row-level security policies on configured database tables reinforce org boundaries.
Your institution retains ownership of the financial files and audit outputs you upload. Residual Genius LLC does not claim ownership of your portfolio or merchant data and does not sell customer residual files or audit results to third parties.
Encryption and infrastructure
All browser traffic to Residual Genius uses HTTPS (TLS). Files and database records are stored on Supabase and Vercel infrastructure in the United States, with data at rest encrypted using standard platform encryption from those providers.
Authentication credentials are managed by Supabase Auth. Passwords are hashed by the identity provider; we do not store plaintext passwords.
Role-based access, including read-only viewers
Access within an organization follows role-based permissions: org admin, agent, and read-only viewer for finance and compliance staff. Viewers can review audits, reconciliation, exceptions, portfolio views, trends, and exports within their org but cannot upload files, edit contract schedules, manage billing, or change team settings.
Users cannot escalate their own role or organization assignment through the product. Privileged platform operations are limited to internal service credentials and explicit platform admin roles.
Append-only audit trail
Material actions such as uploads, reconciliation reviews, and configuration changes are recorded in an append-only audit_log table with actor identity and timestamps. New entries are inserted via server-side service credentials; org users cannot modify or delete audit trail rows through the application.
Governance report exports combine reconciliation summaries with audit trail excerpts suitable for internal audit files and board documentation.
Subprocessors and AI processing
Optional AI-assisted parsing sends the minimum content required to model providers (for example, Anthropic) to normalize and reconcile uploaded files. API keys are stored as environment secrets, not in client code. Institutions should confirm subprocessors against their vendor policy before enabling AI features.
Subscription billing, when used, runs through Stripe. Card data is collected in Stripe's PCI-compliant flows; we receive tokens and subscription status, not raw card numbers.
Compliance posture (current state)
Residual Genius LLC does not currently hold SOC 2 Type II, ISO 27001, or similar third-party attestation. We provide this documentation, our Privacy policy, and Security page for your vendor file, and we respond to security questionnaires during institutional evaluation.
Formal attestation programs and expanded control documentation are on our roadmap as we onboard more financial institution customers. We will update this page when status changes; we will not imply certification before it exists.
For deletion requests, data export, or security questions during vendor review, email info@cardsmart.io. See also our Privacy policy and Security page.
Vendor review FAQ
- How is our data isolated from other customers?
- Each organization has a dedicated tenant workspace. Residual files, reconciliation outputs, and contract schedules are scoped to your org_id. Application logic and database row-level security policies enforce that isolation on configured tables.
- Does Residual Genius hold SOC 2 or similar certifications?
- Residual Genius LLC does not currently hold SOC 2 Type II or ISO 27001 certification. We document current security practices honestly on this page and can provide a security questionnaire response for your vendor review. Formal attestation programs are on our roadmap as institutional demand grows.
- Who owns the data we upload?
- You retain ownership of residual reports, contract schedules, and audit outputs. We process and host that data only to deliver the verification service you contracted for. We do not sell customer financial data.
- What is recorded in the audit trail?
- The append-only audit_log captures material actions such as uploads, reconciliation reviews, and configuration changes with actor identity and timestamps. Entries are insert-only via server-side service credentials, not editable by org users.
- Can we restrict users to read-only access?
- Yes. The viewer role allows finance and compliance staff to review dashboards and exports within their organization without permission to upload, edit contract schedules, manage billing, or change team settings.
- Where is data stored and how is it encrypted?
- Production data is hosted on Supabase and Vercel infrastructure in the United States. Traffic uses TLS (HTTPS). Data at rest is encrypted using standard platform encryption provided by those cloud vendors.