Trust + security · It's Official Notary

Authentication + access control

Ops (admin) sign-in: HMAC-signed magic-link email (15-min token), 12-hour session. Email allowlist enforced (OPS_ALLOWED_EMAILS). TOTP MFA available at /ops/security; ops account auto-bounces through the TOTP gate when enrolled.
Notary portal sign-in: HMAC-signed magic-link email (1-hour token), 30-day session. Only active notaries can request links — paused or terminated notaries are immediately blocked.
Title-co portal sign-in: HMAC-signed magic-link email (1-hour token), 30-day session. Only emails on the client record can request links.
Server-action authorization: Every ops mutation calls requireOpsSession() — no direct DB writes from unauthenticated requests. Same pattern for notary-portal and client-portal actions.
Session cookies: HTTP-only, Secure (in production), SameSite=lax. Distinct cookie + signing secret per role so a leaked notary cookie cannot elevate to ops.

Database: Neon Postgres (US-East-1). All connections require TLS + channel binding. Credentials rotated via Vercel environment secrets.
Document storage: Vercel Blob with random-suffix keys (URL itself is the capability — not enumerable from sequential IDs). Per-file 10–25 MB caps depending on document kind.
Secrets management: All API keys + session secrets stored as Vercel encrypted environment variables. Not pulled into source control.
Notary journal records: 10-year retention per Texas Government Code Ch. 406. Physical journal kept by the notary; we keep digital scan + metadata.
Order + assignment records: 7-year soft-archive via daily cron at /api/cron/records-retention. Archived rows filtered from operational views, retained for legal-hold lookups.
Audit log: Every order status change written to order_status_log with actor (ops email / notary id / system) + timestamp + note.
Email send log: Every outbound email (Resend or SMTP) writes a row to notification_log with kind, recipient, status (sent / rejected / skipped / thrown), and Resend message id.

GLBA Safeguards Rule: We are a service provider to financial institutions (title companies, lenders). Privacy + Terms pages reflect Safeguards alignment. Designation of a Qualified Individual + formal Written Information Security Program (WISP) is on the launch list before our first ongoing-client contract.
Texas Data Privacy + Security Act (TDPSA): Privacy notice describes categories of NPI collected, purposes, retention, and rights. We don't sell or share data for cross-context behavioral advertising.
FCRA § 604(b)(2): Notary applicants sign a standalone disclosure + authorization on /apply before any background check. Signature, IP, timestamp, and disclosure version are captured in notary_applications.
Texas notary law (Gov. Code Ch. 406): We do not interpret documents, select certificate language, or provide legal advice. UPL disclaimer appears on every title-co milestone email.
1099-NEC discipline: W-9 capture at notary onboarding via document upload. Year-end earnings summary PDF generated per-notary from /ops/notaries/[id].

Texas commission: Verified at onboarding + tracked with expiration date. Daily expiry-check cron emails the notary + ops at 30 / 14 / 3 days out, and again on expiry.
Errors-and-omissions insurance: Minimum $100,000 per claim enforced at the contractor-agreement level. Cert PDF uploaded to the notary's Documents tab. Same expiry-check cadence.
Background check: Within prior 12 months required; expiry-check cron flags notaries whose check ages past 365 days.
NNA certification: Strongly preferred but not required at intake; tracked on the applicant + notary records.
Independent-contractor agreement: Pre-filled IC agreement (10 sections, signature block) auto-generated per-notary at /n/ic-agreement. Notary signs, scans, uploads — upload auto-flips the matching onboarding checklist item.

Signed-package upload: Notaries upload from the per-order page using phone camera (capture="environment") or file picker. Per-upload page count computed via pdf-lib server-side; notary declares expected total so multi-part scans show "N of M pages" progress.
Scan-check QA: Every executed package auto-routed to our AI scan-checker when uploaded page count meets the declared expected count. Runs against client-specific rule profile (state-of-venue, initials-required, witness rules, expected-doc list, etc.). Findings surface on /ops/scan-check before the title co receives the package.
Storage: Executed packages stored in Vercel Blob with random-suffix keys + Drizzle row keeps metadata. Ops + the assigned title co see uploads; nobody else.
Retention: 7 years per the order retention schedule above. Physical originals shipped per title-co instructions; we are not the custodian after delivery.

Vercel (hosting + Blob): Application hosting, edge network, scheduled crons, object storage. SOC 2 Type II audited.
Neon (Postgres): Primary application database. SOC 2 Type II audited. US-East-1 region.
Resend (transactional email): Primary email-send backend for milestone emails, magic links, and the applicant lifecycle.
Gmail SMTP (fallback): Used while the itsofficialnotary.com domain finishes Resend verification. Routed via Google Workspace.
Anthropic (Claude): Powers email-to-order extraction (/ops/email-intake) and scan-check QA (lib/scan-route.ts).
Stripe (Connect Express): Notary payouts. Stripe handles KYC + bank-account collection; we never see notary bank credentials directly.
Twilio (SMS): Reminder + offer SMS to notaries. Optional per notary (Profile tab → notification prefs).

Monitoring: Vercel platform metrics + error reporting. notification_log surfaces email send failures on /ops/notifications.
Incident communication: Material incidents will be communicated to affected title-company customers within 72 hours via the contact email on file.
Backup + recovery: Neon point-in-time recovery enabled (7-day window). Blob storage is region-replicated by Vercel.
Insurance: General liability + cyber liability coverage is on the launch list before our first ongoing-client contract.
Continuity: Senior Notary maintains a manual signing capability independent of the platform — if the platform is down, signings still happen + reconcile to the system when service is restored.

Questions about a specific control?

Email dispatch@itsofficialnotary.com with a request for a vendor-packet response. We maintain a current packet at /vendor-packet for procurement teams.

This page is operational documentation, not a legal warranty. See Terms for the binding agreement that governs use of the platform.