Security
How we protect your financial data. Short version: very seriously.
Encryption Everywhere
All data is encrypted in transit (TLS 1.3) and at rest. Your passwords are hashed with bcrypt at cost factor 12 — even if someone stole our entire database, they couldn't read your passwords. We use parameterized queries exclusively — SQL injection isn't a thing here.
Bank Connections
We use SimpleFIN for bank sync. This means:
- ✓ Read-only access — we can never move your money
- ✓ Your bank credentials are never stored on our servers
- ✓ SimpleFIN handles the secure connection to your bank
- ✓ You can revoke access anytime from your bank's settings
Infrastructure
We run on hardened Linux servers with:
- ✓ Automated security patches
- ✓ Firewall rules — only necessary ports open
- ✓ Rate limiting on all endpoints
- ✓ CSRF protection on all forms
- ✓ Security headers (HSTS, CSP, X-Frame-Options)
- ✓ Regular automated backups
Zero Tracking
This is a security feature, not just a marketing claim. Third-party tracking scripts are attack vectors — they can be compromised, they collect data you didn't consent to, and they slow down your experience. We don't use any. Zero. Not one.
Don't trust us? View source on any page. Run your ad blocker. Check with Privacy Badger. We're clean.
Data Isolation
Your financial data is stored in an isolated database schema. Every query is scoped to your user ID — there's no way for one user to access another user's data. We don't do "anonymized aggregation" because we don't look at your data at all unless you specifically ask for support.
Found a Vulnerability?
If you find a security issue, please report it to our contact form with the subject "Security Report." We take every report seriously and will respond within 24 hours. We appreciate responsible disclosure — don't put our users at risk and we'll work with you to fix it.