Built for sensitive immigration data.
Citizenly handles some of the most consequential personal information a person will ever share with a piece of software. This page is how we think about protecting it — written for the people who will actually read it: your IT lead, your privacy counsel, your funders.
Four principles, applied everywhere.
These show up in the product, not just on this page. The design system has dedicated components for audit reasons, magic-link reveals, and confirmation tokens — they exist because the principles exist.
No PII in URLs, titles, or analytics
Applicant data is sensitive enough that the browser tab label is itself a leak. URLs, document titles, and analytics events carry case IDs only — never names, A-numbers, or any free-text the applicant typed.
Magic links are revealed once
Intake links and admin reset links are shown to the caseworker exactly once at creation. After that they're hashed at rest. If a link is lost, a new one is issued — we cannot recover the old one.
Audit on everything that matters
Every cross-tenant action, every change to an applicant record, every admin mutation is logged with a reason and a confirmation token. Logs are immutable, kept for seven years, and available to your org admin.
Tenant isolation by default
Your applicant data is scoped to your organization at the database and the application layer. Cross-tenant access is reserved for narrow Citizenly-staff workflows, requires step-up auth, and is always audited.
Compliance posture.
We tell you what's done, what's in progress, and what we're choosing not to do right now. Pretending a framework is finished when it isn't is the fastest way to lose your trust.
| Framework | Status | Detail |
|---|---|---|
| SOC 2 Type II | In progress | Observation window opened Q1 2026 with Prescient Assurance. Type II report expected Q4 2026. Type I report and current bridge letter available under NDA. |
| HIPAA (BAA available) | Aware | While Citizenly is not a covered entity, our data-handling controls align with HIPAA's administrative, physical, and technical safeguards. We sign BAAs with covered-entity customers on request. |
| GDPR / UK GDPR | Compliant where applicable | Citizenly is US-hosted and serves US-resident applicants. Where personal data of EU or UK residents passes through us (for example, a sponsor abroad), we apply the rights and lawful-basis requirements of GDPR. |
| CCPA / CPRA | Compliant | California-resident rights — access, deletion, correction, opt-out of sharing — are implemented in the client portal and exposed via support@citizenly.com. |
| Penetration testing | Annual | Independent third-party penetration test annually, plus targeted retesting after any infrastructure change in scope. The most recent letter of attestation is available under NDA. |
Data protection.
Encryption
- In transit
- TLS 1.3 between every browser, app server, and database. HSTS preloaded. No downgrade to TLS 1.1 or earlier.
- At rest
- AES-256 on every storage volume. Database, object store, backup snapshots, and log archive.
- Application-layer encryption
- Free-text intake answers (those that may contain PII) are additionally encrypted at the application layer with per-tenant keys.
Hosting & residency
- Region
- AWS, us-east-1 (Virginia) primary, us-west-2 (Oregon) for backups and failover. Both regions are inside the United States.
- Sub-region availability zones
- Three AZs in primary region for high availability.
- Data residency on enterprise plans
- We can pin a tenant to a specific region, including AWS GovCloud, on the enterprise plan.
Retention & deletion
- Default retention
- Applicant records are kept for the duration of the active engagement plus three years, unless your contract specifies otherwise.
- Audit logs
- Seven years, immutable.
- Deletion
- On the applicant's request — or yours — we hard-delete within 30 days. Backups roll out of the system on their normal 90-day cycle.
Access controls.
Authentication
Email + magic link by default. SSO via SAML or OIDC on enterprise. Step-up MFA required for any caseworker viewing applicant PII on a new device.
Authorization
Role-based: applicant, caseworker, org admin, platform admin. Cross-tenant routes require an additional confirmation token and an audit reason — they cannot be invoked silently.
Session management
Idle timeout 30 minutes. Absolute timeout 12 hours. Magic-link sessions are bound to the browser they were opened in and cannot be replayed elsewhere.
Audit trail
Every access to an applicant record, every mutation, every export is logged with actor, timestamp, IP, and a free-text reason where required. Logs are visible to your org admin in the dashboard.
Privacy notice (in plain words).
The full privacy notice is the binding legal document. This summary is for quick reading — it does not replace it.
- What we collect
- The intake answers your client provides, the questions they ask the assistant, basic device and locale metadata, and authentication artefacts. Nothing more.
- What we don't collect
- We don't run third-party advertising trackers. We don't sell or share applicant data with any third party for marketing. We don't fingerprint clients across orgs.
- What we do with it
- We use intake answers to run the intake (deliver to your dashboard) and the assistant conversation (answer the client's questions). We do not use applicant data to train general-purpose models.
- How long we keep it
- For the duration of the active engagement plus three years, unless your contract specifies otherwise. Audit logs are retained for seven years.
- Client rights
- Access, correction, deletion, and export — accessible from the client portal or via support@citizenly.com. We respond within 30 days.
- Children
- The intake is designed for adult applicants. When a minor is included on a parent's case, only the minimum demographic data needed to identify them is collected.
- Changes to this notice
- Material changes are announced in-app at least 30 days before they take effect, and recorded in our changelog.
Sub-processors.
The third parties that process applicant data on our behalf. We notify customers at least 30 days before we add a sub-processor, and customers can object before the change takes effect.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Hosting (us-east-1, us-west-2) | United States |
| Anthropic | Large-language-model inference for the assistant. Zero-retention contract. | United States |
| Datadog | Operational metrics and logs (no PII) | United States |
| Postmark | Transactional email (magic links, receipts) | United States |
| Stripe | Billing — for paying customers, not applicants | United States |
Responsible disclosure.
If you've found a vulnerability, we want to hear from you. We do not pursue good-faith security research conducted under the terms below.
How to report
Email security@citizenly.com with reproduction steps and impact. PGP key available at /security/pgp.asc. We acknowledge within one business day and aim to resolve critical issues within seven.
Scope
The Citizenly web app at citizenly.com and *.citizenly.com, and our public-facing APIs. Out of scope: physical attacks, social engineering of our staff, denial-of-service.
Safe harbor
Research conducted in good faith and within scope is authorized under our safe-harbor policy. Do not access applicant data beyond what's needed to demonstrate the issue, and do not disclose publicly until we've had a chance to fix.
Recognition
We maintain a hall of fame for researchers whose reports we've validated. Monetary bounties are not currently offered but are under consideration for 2027.
Terms (summary).
The full master services agreement is the binding document. This is the human-readable summary.
- Not legal advice
- Citizenly provides general legal information, not legal advice. For advice about a specific situation, your client should talk to a licensed immigration attorney.
- Service availability
- Standard plans target 99.5% monthly uptime. Enterprise plans contract to 99.9% with credits. Maintenance windows are announced 72 hours in advance.
- Acceptable use
- No automated mass-account creation, no using the assistant to give legal advice to your clients in our voice, no testing exploits without coordination via our disclosure program.
- Termination
- Either party can terminate with 30 days' notice. On termination we provide a full export of your data within 30 days, then hard-delete.
- Governing law
- California, USA. Disputes go to arbitration under JAMS rules unless you're a public-sector customer, in which case state forum rules apply.
For the full agreement, contact legal@citizenly.com.
Need more detail?
We share our SOC 2 Type I report, penetration test letter, and full data-handling documentation under NDA. Ask and we'll send.