RCIC App by Investatech

RCIC App manual

An online manual covering every module, kept in sync with the platform.

Up to date as of v1.12.0

Back to the manual

Transfer Room

Encrypted two-way document exchange with your client, with a case-folder tree synced to your Drive.

Overview

Transfer Room is the encrypted file-exchange surface between you and your client. Each fully-signed Service Agreement provisions one room (amendments piggyback on the parent room). You can also create ad-hoc Transfer Rooms for one-off transfers that have no Service Agreement attached. File bytes are encrypted under your tenant DEK before they touch our storage bucket; the platform never sees plaintext file content.

Transfer Room is Premium. Basic tenants see the sidebar entry; the landing page renders a Premium-upsell card.

Activation

Two paths activate a room. The automatic path runs from the Stripe webhook when a Bill linked to a Service Agreement is paid — Transfer Room opens the moment the funds land. The manual path lets you open a room from the agreement detail page with a recorded reason: paid outside Stripe, payment deferred, payment waived, pro bono, legacy matter, internal decision, or other. Whichever path runs first wins; the second is a no-op against the UNIQUE constraint.

Participants

Each room has two sides — tenant and client — with up to three named participants per side. The client-side default seeds the main client plus, when applicable, a sponsor (if isAlsoClient or disclosureAuthorized) and a designated person. Adding or removing a participant requires verified-RCIC authorization and a structured consent attestation that lands in the audit ledger. Each participant carries a per-side can_delete privilege that gates transfer revocation; only participants with can_delete on their own side may revoke a transfer that originated from that side.

Case-folder tree on Drive

When you have Drive connected (Google Drive or OneDrive), activation auto-provisions a seven-folder case tree under RCIC App → Clients → <client name>: Contract, Pre-contract consultation, Client Docs, RCIC Docs, Application, Government Communications, Identification. Signed Service Agreement PDFs (including signed amendments) land in Contract automatically. RCIC-sent documents auto-copy to RCIC Docs/<YYYY-MM-DD in your tenant timezone>. Client uploads can be copied to Client Docs from the Received tab. Ad-hoc rooms get a separate root: RCIC App → Ad-hoc Transfer Rooms → <room display name> → <YYYY-MM-DD>.

Sending files

The Send Files modal takes a subject, a rich-text message (TipTap editor with AI assist via Gemini 2.5 Flash for drafting), and one or more files. The subject becomes the email subject; the message becomes the email body. Files attach to the transfer in encrypted form; the email itself never carries attachments — it carries a portal link. Scheduled send lets you set a future delivery time in your tenant timezone; the cron drains scheduled rows every five minutes.

Client portal

The client authenticates to the room through a two-stage OTP gate: their email plus the agreement reference produces a six-digit code (ten-minute expiry, five-attempt lockout, sixty-second cooldown, ten codes per day). On success, the client lands on a session-cookie-protected portal where they can view sent transfers, download files (decryption happens server-side under the room's DEK), upload replies, send their own transfers back, and resend an OTP if their session expires. The portal session is independent of any dashboard session; the cookie is prefixed tr-portal-session-v1 and HMAC-signed under the master key.

Inbound email replies

Each notification email carries a per-participant Reply-To address (tr-<token>@reply.rcicapp.ca). When the client replies, the reply lands in the Transfer Room as a client_to_tenant transfer — body becomes a message, attachments become files. The inbound pipeline runs in AWS ca-central-1 (S3 + SQS + KMS); the worker drains every five minutes. Parse failures or sender mismatches route to a tenant-review quarantine surface accessible from the room's Inbound Review card.

Retention

The retention sweep runs daily at 18:00 UTC. Files in active rooms are kept indefinitely (you control deletion). Files in rooms that have been revoked, expired, or whose underlying Service Agreement was cancelled enter a configurable grace window (default thirty days) before purge. The audit ledger is INSERT-only — retention does not touch it; you keep a permanent record of every transfer event for legal defensibility, even after the file bytes are gone.