A straight answer about what we do today, what we don’t have yet, and how to reach us if something looks wrong.
Last updated: May 17, 2026
Dedicated instance and dedicated database per firm. No multi-tenant joins.
TLS in transit; AES-256 at rest on managed Postgres storage.
Role-based permissions, password hashing, required TOTP two-factor.
Every mutation logged with user, timestamp, IP, and a human-readable description.
Each customer firm runs on its own application instance backed by its own PostgreSQL database. There are no cross-firm joins or shared tenant identifiers. The Service is hosted in the United States on a major cloud platform.
Data in transit is encrypted with TLS. The managed database service encrypts data at rest. Passwords are hashed; we never store plaintext passwords.
The application has three role tiers — Admin, Editor, and Viewer — with optional per-family access restrictions on top.
Two-factor authentication via TOTP is required for every user. No user can disable it from inside the application — a compromised account cannot turn it off. If a user loses their device, an admin at the firm can reset MFA; the user re-enrolls on next login.
Every mutation — logins, data edits, permission changes, report generations — is recorded with user, timestamp, IP, and a human-readable description. Firm administrators can review and export the log.
Branch Reporting is an early-stage company. We do not currently hold a SOC 2 Type II report, an ISO 27001 certification, or a HIPAA business associate attestation. Firms with formal security questionnaires receive our current self-attestation on request.
If your firm has a specific control we don’t meet today, tell us — that feedback shapes the roadmap.
If you believe you’ve found a security issue, email info@branchreporting.com with the subject line “Security report” and a description of the issue plus steps to reproduce. We will acknowledge within two business days.
Branch Reporting LLC · info@branchreporting.com
