Legal

Security is foundational to a product that handles your financial data. This page summarizes the measures we take to protect it.

Encryption

All data is encrypted in transit with HTTPS/TLS and at rest with AES-256.

Tenant Isolation

Each organization's data is isolated using database row-level security, so one tenant can never access another's data.

Access Controls

Access to production systems follows the principle of least privilege. Application access requires authenticated sessions, and credentials are stored hashed.

Infrastructure

We host on established cloud providers and process data only through vetted sub-processors bound by data processing agreements.

Monitoring & Testing

We use continuous error tracking, observability, and regular vulnerability scanning to detect and respond to issues.

Backups

Data is backed up regularly, and backups are encrypted and purged on a rolling schedule.

Compliance

We build to a privacy-by-design standard and align our practices with the GDPR. We process Personal Data only through vetted sub-processors under data processing agreements, and a Data Processing Addendum is available for business customers. We do not currently hold a SOC 2 or ISO 27001 certification; pursuing formal certification is on our roadmap, and we will update this page as our compliance posture matures.

Responsible Disclosure

If you believe you have found a security vulnerability, please email [email protected] (see our security.txt). Please give us a reasonable opportunity to investigate and remediate before any public disclosure. We appreciate responsible disclosure and will work with you to resolve valid issues promptly.