SheltrIQ holds some of the most sensitive information you own — tax IDs, bank activity, property records. We protect it with encryption, database-level isolation, and self-hosted AI that keeps your financial data off third-party services. Here’s exactly how, in plain English.
Your most sensitive fields — tax IDs (SSN/EIN), and stored bank connection credentials and tenant-screening data — are encrypted with AES-256-GCM before they touch the database. The rest of your data lives on encrypted disks.
Every connection uses TLS 1.2+ with HSTS (preloaded). A strict Content-Security-Policy, frame-blocking, and secure, HTTP-only session cookies harden the browser side against injection and hijacking.
One landlord can never see another’s data. Postgres Row-Level Security enforces per-account boundaries inside the database itself, under a non-privileged role — not just in application code that could be bypassed.
Passwords are hashed with bcrypt (cost 12). Login is timing-equalized against email enumeration and rate-limited. Resetting your password invalidates every existing session immediately.
Daily backups of your data and documents are encrypted on our side before they leave for offsite storage — no plaintext ever rests off-server. We run an automated restore drill every week to prove the backups actually come back.
We track errors to fix them fast, but authorization headers, cookies, and any SSN/EIN patterns are scrubbed from error reports before they’re ever recorded.
Most "AI" tax tools pipe your transactions to OpenAI, Google, or Anthropic. SheltrIQ doesn’t. Our AI classification runs on self-hosted, open-source models on our own servers — so your financial data is never handed to an outside AI provider.
And AI never decides alone. Classification is rules-first: deterministic tax logic and your own learned corrections handle the clear cases, and the AI only weighs in on genuinely ambiguous ones — always with a confidence score you can see and override. Every classification and every change is written to an immutable audit log you can export for a filing.
All billing runs through Stripe, a PCI DSS Level 1 certified processor. Card numbers go straight to Stripe and never touch SheltrIQ’s servers.
Cancel anytime and your data stays available for 30 days. Ask us to delete your account and we permanently remove your personal, property, transaction, and document data within 30 days — after which it may persist only in encrypted backups for up to 7 more days before those are purged. You can export your data (including the classification audit log) at any time.
We’d rather be straight with you than pad this page with badges. Payment security is inherited from Stripe (PCI DSS Level 1). Data for EU customers is stored in Germany.
SheltrIQ is not SOC 2 certified — a formal audit is on our roadmap, and we won’t claim a certification we don’t hold. Two-factor authentication is also on the roadmap. If a security control matters to your decision, ask us and we’ll tell you exactly where it stands.
Found something? We want to hear from you. Email [email protected] with the details and steps to reproduce. We’ll acknowledge your report, keep you posted on the fix, and credit you if you’d like. Please give us a reasonable window to resolve the issue before disclosing it publicly, and don’t access or modify data that isn’t yours while testing.