We treat it that way — with bank-grade encryption, third-party audits, and a security-first culture.
TLS 1.3 in transit. AES-256 at rest. Bank tokens encrypted with keys we control, not Plaid's.
Bcrypt password hashing (cost 12). 2FA + 10 backup codes. Account lockout after 5 failures. Session list + remote sign-out.
Services isolated by Docker networks + nginx whitelist. No cross-tenant data exposure.
Immutable audit log of every sensitive action. Available on Business plan with 7-year retention.
Hetzner (Germany), 99.9% uptime SLA. Daily backups, 30-day retention, point-in-time recovery.
SOC 2 Type II in progress. GDPR, CCPA, PIPEDA, Quebec Bill 64 compliant. PCI-aligned for payment paths.
GitGuardian secrets scan, npm audit, Snyk dependency scan, ESLint security rules.
Third-party pen-testers at HackerOne. Report summary published in our trust portal.
Pay up to $5,000 for critical, $1,500 high, $500 medium via [email protected].
Every sub-processor (Stripe, Plaid, Resend, etc.) DPA-vetted before integration.
Per GDPR Art. 33. Customers notified before regulatory deadline if any personal data exposed.
Restore from backup into isolated environment, verify integrity, document RPO/RTO.
Responsible disclosure is appreciated. Email [email protected] with reproduction steps. We pay up to $5,000 for critical findings and respond within 24 hours.
14-day Pro trial. No credit card. Bank-grade security from day 1.