Data Security

RecordSteward uses Clerk, a purpose-built authentication platform, to manage all user accounts and login security. Passwords are never stored directly in our database — Clerk handles secure credential storage, login session management, and email verification using industry-standard practices. All new user accounts go through an approval process before gaining access to your firm’s data.

Yes. RecordSteward uses a role-based access system. Current standard roles include: CAM Admin, CAM Staff, Board Read-Only, and Super Admin. Each role has specific permissions. CAM Admins can manage the team, export packets, and configure settings. CAM Staff can upload and tag documents and create tasks. Board members can view documents and the audit history available within their role, for their association only — they cannot upload, export, or edit anything. Role assignments are managed by your CAM Admin and can be changed at any time.

When a team member leaves, your CAM Admin can immediately deactivate their account. Deactivation removes all access to your firm’s data instantly. Everything that person uploaded, tagged, or organized remains in place and accessible to the remaining team. The audit trail preserves a record of all actions the departing user took while they had access, so nothing is lost and the history remains clear.

Board members can be given read-only access scoped to their specific association. They can view documents and the audit history available within their role, for their association only — they cannot see other associations, upload files, export packets, or change any settings. Attorney or outside reviewer access is not currently a built-in role, but documents can be shared through exported packets with a full audit trail of what was included and when it was exported.

Yes. RecordSteward maintains a system-maintained audit trail that records key actions in the system: who uploaded a document, who tagged it, who changed its status, who exported a packet, and when each action occurred. This log cannot be edited or deleted by users. It is visible to CAM Admins and board members within their permitted scope, and it provides a clear chain of custody for every document in your records.

Your data remains accessible through the end of your subscription period. RecordSteward is designed so you can export your documents and associated metadata in standard formats before your subscription ends. Your records belong to your firm and your associations — not to us. After the subscription period ends and any agreed data retention period expires, your data is deleted from active systems within a commercially reasonable period; backup copies persist until overwritten in the ordinary course of our backup practices. Specific data export and retention terms are confirmed in your subscription agreement.

This is one of the core problems RecordSteward is designed to solve. Records are stored at the association level, not at the individual user level. When a manager or board member leaves, the association’s document history, audit trail, packet export history, and status tracking remain intact and accessible to the remaining team. New team members can be granted access immediately through an invitation, with a full record of what was on file and what was done before they arrived.

RecordSteward is hosted on Vercel (application layer) and uses managed cloud database and file storage services hosted in the United States. These providers maintain SOC 2-certified data centers with physical security, redundant power, network monitoring, and automated failover. We chose infrastructure providers with strong security track records so we can focus on building the best records workflow for your team.

RecordSteward is built on cloud infrastructure designed for high availability. Our hosting providers maintain uptime commitments in their service agreements, and we architect the platform to minimize single points of failure. While we do not currently publish a formal SLA with guaranteed uptime percentages, we monitor platform health continuously and address issues as they arise. If you experience a service disruption, contact support@recordsteward.com.

Yes. RecordSteward’s cloud infrastructure scales automatically as your portfolio grows. Adding more associations, users, or documents does not require hardware changes or migration. The same platform that works for a firm managing 5 associations works for a firm managing 500 — with the same security controls, access management, and audit trail at every scale.

RecordSteward is designed with data privacy practices appropriate for the types of records CAM Firms manage. We encrypt data in transit and at rest, enforce role-based access controls, maintain audit trails, and isolate each firm’s data from other firms. Florida does not currently have a comprehensive consumer data privacy statute equivalent to California’s CCPA, but we build to a standard that reflects current best practices for handling sensitive business records. If Florida enacts additional data privacy requirements, we will evaluate and adapt accordingly.

No. RecordSteward does not currently hold SOC 2 certification and is not HIPAA compliant. We are straightforward about this because we believe transparency matters more than overclaiming. Our infrastructure providers (cloud hosting, database, and authentication services) do hold SOC 2 certifications for their environments. As RecordSteward grows, we will evaluate pursuing our own SOC 2 certification when it is appropriate for the scale and needs of our customer base.

No software platform can guarantee absolute security, and we will not claim otherwise. RecordSteward implements industry-standard encryption, access controls, and audit logging — but we do not guarantee that our systems are immune to every possible attack, vulnerability, or data loss scenario. We do not make legal, engineering, insurance, or compliance determinations about your records. We do not certify that any document set is legally sufficient, complete, or compliant with any regulation. Professional review is always required for those determinations.

For security questions, questionnaires, or concerns: security@recordsteward.com. If you discover a potential security vulnerability, suspect unauthorized access to your account, or have any security-related concern, email that address immediately with the subject line “Security Concern.” We take all reports seriously and will respond within one business day. If you believe your account has been compromised, also change your password immediately through the login page.