Security & Data Handling

Last updated: 2026-04-18

This page describes how SubCash handles customer artifacts (pay-app packets, rejection emails, AR aging exports, subcontract excerpts) and what we do and don't do with that data. It's intended for controllers, CFOs, and IT teams evaluating SubCash for their firm.

This page is not a SOC 2 report and does not claim certifications we haven't earned. We follow SOC 2-aware practices today and will pursue Type II as we scale.

---

What we collect

From the free Pay-App Checker (no sign-up)

The free checker runs entirely in your browser. Packet text you paste and PDF files you drop are processed locally — they are not uploaded to a SubCash server. Close the browser tab, the data is gone. We do not retain, log, or transmit checker inputs to our backend.

We log basic anonymous usage (visit timestamps, browser type, finding count returned) for product analytics. No packet content is included in those logs.

From the $99 Cash-at-Risk Audit

When you upload artifacts for an audit, we collect what you send:

• Pay-app packet PDFs (G702, G703, lien waivers, certified

payroll exports, change-order documentation, stored-materials documentation).

• Rejection emails or GC packet comments (PDFs, screenshots, or

forwarded emails).

• AR aging export (CSV / Excel).
• Subcontract excerpts you choose to share.
• Optional: DIR or state CPR portal screenshots if you have

public-works exposure.

We collect what's sufficient to deliver the audit. We don't ask for payroll PII, employee records, banking information, or any data unrelated to the packet workflow.

From the SubCash OS subscription (when applicable)

Same scope as the audit, on a recurring basis. The OS subscription imports your last 90 days of artifacts at onboarding to seed the GC rule library and DSO baseline.

---

How we store it

• Free checker: browser-local processing. Packet text and

PDFs used in the free checker are not uploaded to SubCash.

• Payment data: Stripe hosts checkout, receipts, and payment

records. Full card data does not touch SubCash servers.

• Audit artifacts: paid-audit artifacts are stored only in

access-controlled systems used for audit delivery. Customer artifacts are not committed to the SubCash repository.

• Encryption in transit: HTTPS/TLS for web traffic and vendor

APIs.

• Encryption at rest: provider-managed encryption at rest

where supported by the subprocessors listed below.

• Hosting and infrastructure: Vercel hosts the public web

app. Railway hosts backend services, workers, and related infrastructure when used. Resend handles transactional email.

---

Who can access it

• Drew Kraken (founder) has access to customer data needed

for audit delivery and customer support.

• Engineering staff and automated agents: scoped access only

when needed to operate, debug, or improve the Service.

• Third-party processors (subprocessors):
• Stripe - payment processing and hosted checkout. Full

card data is handled by Stripe, not by SubCash servers.

• OpenAI API - language-model processing for audit

analysis and internal workflow automation.

• Anthropic API - language-model processing for audit

analysis and internal workflow automation.

• Resend - transactional email.
• Vercel - web hosting, deployments, and edge delivery.
• Railway - backend services, workers, and related

infrastructure when used.

We do not sell or share customer data with any party outside the subprocessors above.

---

What we do NOT do

• We do not sell customer data. Not to data brokers, not to

partners, not to anyone.

• We do not use customer artifacts to train AI models. Our

language-model providers (Anthropic, OpenAI) contractually exclude API inputs from model training. Our internal rule library is built from public sources (AIA forms, state statutes, GC subcontract templates we collect with permission) — not from customer artifacts.

• We do not share data with GCs. Your GC does not see what

SubCash analyzes about your packets.

• We do not share data with CPAs (the warm-intro source) or

any other intermediary unless you explicitly request a CC on a deliverable.

• **We do not allow third-party advertisers, analytics

retargeting, or pixel tracking** of customer artifacts.

---

Compliance posture (honest disclosure)

What we are

• US-operated. SubCash is operated by Drew Kraken from

Kentucky, United States. No EU, UK, or APAC data subjects are contemplated in scope for launch.

• HTTPS/TLS default. Web traffic and vendor API calls use

encrypted transport.

• Least-privilege access discipline. No production access

without explicit need.

• No data training. Contractually excluded with our LLM

vendors.

What we are NOT (yet)

• Not SOC 2 Type II certified. We will pursue Type II

certification as we scale (post-$500K ARR target). If your firm requires SOC 2 evidence today, we are not the right fit yet — we'd rather tell you so than fake it.

• Not HIPAA compliant. We do not handle protected health

information. If you're a sub working healthcare construction (MOB / hospital pay apps), we handle the construction-AR side; we don't touch patient data, so HIPAA doesn't apply.

• Not PCI-DSS scope. We don't store card data — Stripe

handles all PCI scope.

• Not FedRAMP. Not in scope; we don't sell to federal

agencies.

• Not GDPR / UK-DPA in scope. No EU/UK data subjects

contemplated v1.

What we will sign

• NDAs — yes, before audit upload, on request. Standard

mutual NDA terms.

• Data Processing Agreements (DPAs) — available on request

for paid audit or OS customers that require one.

• BAAs (Business Associate Agreements under HIPAA) — not

applicable; we don't handle PHI.

• Custom security questionnaires — yes, but we'll answer

honestly. If a question asks for SOC 2 evidence and we don't have it, we'll say so.

---

Data lifecycle

Retention

• Free checker: zero retention (browser-local processing).
• $99 audit: customer artifacts retained for **90 days

post-delivery** by default, then deleted unless customer requests longer retention or upgrades to OS subscription.

• SubCash OS subscribers: customer artifacts retained for

the duration of the subscription plus a 30-day post-cancellation export window.

• Operational and security logs: retained as needed for

security, debugging, and incident-response purposes.

Deletion

• On request: deletion within 5 business days of a written

deletion request to drew@subcash.io.

• On cancellation: automated deletion 30 days post-

cancellation unless extension requested.

• On account closure: customer data is deleted from active

systems within 30 days unless longer retention is required by law, payment records, tax records, or dispute handling.

Export

• At any time: customer can request a complete data export

(artifacts, audit reports, dashboard data) within 5 business days of request, no fee. Format: ZIP containing original artifacts plus JSON of structured data.

---

Incident response

If we discover a security incident affecting customer data:

1. Containment within 24 hours of discovery.
2. Customer notification within 72 hours of confirming

customer data was affected, with what we know at that time.

1. Post-incident report within 14 days with root cause,

remediation, and prevention plan.

We have not had a security incident as of this page's date.

---

Bug bounty / responsible disclosure

If you find a security issue, email drew@subcash.io with "SECURITY" in the subject. We respond within 24 hours and aim to remediate confirmed issues within 14 days. Until we have funding, we don't pay a formal bug bounty, but we will publicly credit researchers who follow responsible disclosure (with permission).

Out of scope:

• Social engineering of SubCash employees.
• Physical attacks on SubCash facilities.
• DoS / DDoS testing.
• Any testing that would degrade service for other customers.

---

Frequently asked

Q: Can I run this past my IT team's security questionnaire? A: Yes. Send the questionnaire to drew@subcash.io. Typical turnaround: 3 business days for a full questionnaire response.

Q: Which vendors process my data? A: Stripe, OpenAI, Anthropic, Resend, Vercel, and Railway are the current subprocessors. The free checker runs in-browser and does not upload packet content to SubCash servers.

Q: Do you use AI to analyze my packets? A: Yes — Anthropic's Claude API and occasionally OpenAI's API. Both providers contractually exclude API inputs from model training. The AI helps extract structured data from PDFs and apply our rule library; the rules themselves are built from public statutory and AIA sources, not from customer data.

Q: What if my GC requires SOC 2 from all vendors? A: We don't have SOC 2 today. If your GC's vendor policy requires Type II, we are not approvable yet. We will pursue Type II as we scale (post-$500K ARR target). We can revisit when we earn it.

Q: Can I delete my data after the audit? A: Yes. Email drew@subcash.io with "DELETE" in the subject and your audit ID. We confirm deletion within 5 business days.

Q: Who at SubCash sees my packets? A: Drew Kraken (founder) for audit delivery and customer support. No other humans currently. Automated agents (Claude API, OpenAI API, internal scripts) may process artifacts under access controls when needed to deliver or improve the Service.

Q: Will my data be used to improve SubCash for other customers? A: We use anonymized rejection patterns to improve our public rule library (e.g., "Holder Section 12 stored-materials gaps appear in 30% of audits") — never with customer-identifying detail. We don't use customer-specific data to train models or benchmark against other customers.

---

Contact

Security questions: drew@subcash.io (subject: SECURITY) Data deletion requests: drew@subcash.io (subject: DELETE) NDAs / DPAs / questionnaires: drew@subcash.io

---

*Updated as our practices evolve. Material changes to this page will be communicated to active customers via email and dated in the changelog at the bottom.*

Changelog

• 2026-04-18 — v1. Initial publication.