How we protect your clients'
trust account data
Florida attorneys have two obligations when using cloud software: competence (Rule 4-1.1) and confidentiality (Rule 4-1.6). We've built IOLTAWatch so you can satisfy both without compromise.
Read-only access. We cannot move money — ever.
We connect to your trust account through Plaid using read-only credentials. IOLTAWatch can retrieve your transaction history and current balance. It cannot initiate a transfer, create a payee, change account settings, or move a single dollar. This is a technical constraint, not just a policy — Plaid's read-only token type does not expose any payment endpoints.
Your IOLTA account credentials are never stored on IOLTAWatch servers. When you connect via Plaid, you authenticate directly with your bank. We receive only a read-only access token, which we store encrypted. You can revoke access at any time from within your bank's connected apps settings — IOLTAWatch immediately loses access to your account.
Encrypted in transit and at rest.
All data transmitted between your browser and IOLTAWatch is encrypted using TLS 1.2 or higher. We do not support older, insecure protocol versions.
All data stored in our database — including transaction records, client matter balances, and reconciliation reports — is encrypted at rest using AES-256, the same standard used by financial institutions and government agencies. Encryption keys are managed by our infrastructure provider and are never accessible to IOLTAWatch application code.
Bank access tokens (Plaid credentials) are encrypted with an additional application-level key before storage, providing a second layer of protection beyond database-level encryption.
The services we rely on — and their certifications.
IOLTAWatch uses the following third-party services to deliver the product. We only work with providers that maintain recognized security certifications. You can verify each provider's security posture directly.
| Provider | Purpose | Certification | Security page |
|---|---|---|---|
| Plaid | Read-only bank connection | SOC 2 Type II | plaid.com/safety |
| Supabase | Database & authentication | SOC 2 Type II | supabase.com/security |
| Stripe | Payment processing | PCI DSS Level 1 | stripe.com/docs/security |
IOLTAWatch itself applies SOC 2-informed controls — access logging, least-privilege principles, and separation of duties — as we work toward formal certification.
Your records are yours. Full stop.
Florida Bar Rule 5-1.2(c) requires you to retain trust account records for six years. IOLTAWatch stores and archives every reconciliation PDF we generate on your behalf for the full six-year retention window.
You can export your complete archive at any time — all reconciliation PDFs, transaction records, and matter balances — in a single download. No support ticket required.
If you cancel your IOLTAWatch subscription, your data remains accessible for 30 days so you can complete your export. After 30 days, all your data is permanently deleted from our systems. We will send you a deletion confirmation email.
IOLTAWatch staff cannot view your client data.
Your client names, matter IDs, and account balances are private to your firm. No IOLTAWatch employee can access your firm's data in the normal course of business. Our internal tooling enforces row-level access control — customer records are isolated from each other and inaccessible to staff without explicit authorization.
If you contact us for support and the issue requires us to inspect your data, we will request your written permission first and document the access. All administrative access to production data is logged and auditable.
Cloud software is Bar-approved — with the right precautions.
Florida Bar Rule 4-1.6 requires attorneys to make reasonable efforts to prevent inadvertent disclosure of client information. The Bar has confirmed that cloud-based software is permissible as long as the attorney exercises reasonable care in selecting and using the service.
IOLTAWatch is designed to satisfy that standard: your data is encrypted, hosted on certified infrastructure, and never shared with third parties for any purpose other than delivering the product. We do not sell, license, or monetize your data in any form.
For guidance on evaluating cloud services under Rule 4-1.6, see the Florida Bar's Rules Regulating the Florida Bar.
If something goes wrong, we tell you within 72 hours.
In the event of a security incident that affects the confidentiality, integrity, or availability of your data, IOLTAWatch will notify you by email within 72 hours of confirming the incident. The notification will include the nature of the incident, the data affected, the steps we have taken to contain it, and any actions we recommend you take.
We maintain an incident response plan and conduct regular internal reviews. If you discover a potential security vulnerability, please report it to security@ioltawatch.com. We will acknowledge your report within one business day.
Security questions? We answer them directly.
If you have questions about this page, our practices, or want to request our full security documentation before subscribing, contact us. You will reach a person, not a support bot.
Security & compliance inquiries
Response time: one business day. For urgent matters related to a Florida Bar audit or subpoena, indicate "URGENT" in the subject line.