Security

How Fidem handles your documents

Rental application documents contain sensitive financial information. This page describes how Fidem stores, handles, and protects submitted documents — factually and without overstatement.

Document handling

Documents are uploaded directly to private, access-controlled cloud storage via a signed upload URL. Signed URLs are short-lived and scoped to the specific upload operation — they cannot be reused or shared.

Once uploaded, documents are not accessible via public links. Access to a stored document requires authentication and authorization to the associated verification workflow.

Documents are processed internally for field extraction. The raw extracted fields are used to run verification checks and produce the verification report. Raw extraction outputs are not exposed in the user interface.

Access control

All document uploads, downloads, and verification operations require an authenticated session. Unauthenticated access to documents, verification reports, or review workflows is not possible.

Each organization's data is logically isolated. Verifications created by one organization are not accessible to another.

Sessions are managed via Supabase Auth with industry-standard token handling. Session tokens are not stored in localStorage.

Storage and privacy

Documents are stored in private cloud storage buckets. No bucket has public access enabled. All storage objects require authenticated, scoped access to retrieve.

Fidem does not share submitted documents with third parties outside the document processing workflow. Extracted field data used for verification is retained as part of the evaluation record and is not exported or sold.

Documents are retained for the duration of the associated verification workflow and according to the data retention policy in our Privacy Policy. Organizations may request deletion of their verification data by contacting privacy@usefidem.com.

Data retention and deletion

Retention: Verification records, extracted field data, and associated documents are retained while your account is active and for a reasonable period thereafter. We do not enforce an automatic deletion schedule at this time, though this will be formalized as the platform matures.

Deletion requests: You may request deletion of your verification data, associated documents, or your entire account at any time. Requests are processed within a reasonable timeframe and will be acknowledged within 5 business days.

Scope of deletion: On receipt of a deletion request, we will delete: stored documents associated with the request, extracted field data, verification reports, and activity log entries. Some operational metadata (billing records, aggregated usage logs) may be retained for legal and financial compliance purposes.

To request deletion: privacy@usefidem.com

Infrastructure and vendor disclosure

Fidem relies on the following infrastructure providers. We disclose these to enable informed security assessment by operators.

Supabase

Authentication, database, and object storage

Security page ↗

Fidem uses Supabase for user authentication (Auth), verification data storage (PostgreSQL), and document storage (Storage). Supabase infrastructure runs on AWS.

Amazon Web Services (AWS)

Document processing infrastructure

Security page ↗

Document processing operations (OCR and field extraction) run on AWS infrastructure. Fidem uses AWS Textract for document extraction. Data is processed in the us-east-1 region.

Fidem does not use additional third-party services for core document handling beyond the vendors listed above. This list will be updated if additional vendors are introduced.

Verification scope and data use

Fidem processes submitted pay stubs and bank statements to extract specific field values (income figures, pay periods, balances, deposit counts) for verification purposes.

Extracted data is used solely to produce the verification report for the associated workflow. It is not used to build scoring models, train AI systems, or produce tenant eligibility determinations.

Fidem does not access credit bureaus, background check providers, eviction databases, employment verification services, or any external data source. All verification is performed on submitted documents only.

Operational safeguards

All lifecycle transitions in a verification workflow — uploads, processing events, review actions, document requests — are logged and stored as immutable audit records. This provides a traceable history for every verification.

Document processing operations include retry handling with limits to prevent runaway processing. Failed processing operations surface clearly in the workspace UI for operator review and manual retry.

Server-side validation is enforced on all API boundaries. Client-side state is never trusted for authorization decisions. Access control checks are performed server-side on every request.

Security inquiries

If you have questions about Fidem's security posture, document handling, or data practices, please contact us:

For general questions, see our Privacy Policy or Terms of Service.

Note on certification: Fidem is an early-stage platform. We have not yet completed formal SOC 2 or similar audits. This page describes our actual security practices, not aspirational claims. We will update it as our security program matures.