Back

Last updated: January 10, 2026

Security

How we protect your financial data

Data Encryption

Your financial data is protected with industry-standard encryption:

  • In Transit: All connections use HTTPS (TLS 1.2+) encryption.
  • At Rest: Bank credentials and access tokens are encrypted using AES-256-GCM.
  • Database: All data is encrypted at rest with automatic backup encryption.

Bank Connection Security

We use Plaid, a trusted financial services provider, to securely connect to your bank:

  • We never see or store your bank login credentials.
  • Plaid connects directly to over 12,000 financial institutions.
  • Bank connections use token-based authentication that you can revoke anytime.
  • Plaid is SOC 2 Type II certified and regularly audited.

Payment Security

Subscription payments are handled securely by Stripe:

  • We never store your credit card information—Stripe handles everything.
  • Stripe is PCI DSS Level 1 certified (the highest security standard).
  • All payment webhooks are verified using cryptographic signatures.

Access Control

We use multiple layers to ensure only you can access your data:

  • Row Level Security (RLS): Database policies ensure you can only access your own data.
  • Session Management: Secure HTTP-only cookies prevent XSS attacks.
  • Email Verification: All accounts require email verification.
  • Password Requirements: Minimum 8 characters with uppercase, lowercase, and numbers.

Infrastructure Security

  • Hosted on Vercel with automatic DDoS protection.
  • Database hosted on Supabase with encrypted connections and backups.
  • Rate limiting protects against brute-force attacks.
  • Security headers (CSP, HSTS, X-Frame-Options) prevent common web attacks.

Audit & Compliance

  • Comprehensive audit logging for sensitive operations.
  • Automated security scanning (CodeQL, Dependabot, TruffleHog).
  • Regular dependency updates to patch vulnerabilities.
  • SOC 2 readiness with documented security controls.

AI & Data Privacy

Our AI features are designed with privacy in mind:

  • AI categorization uses only merchant names and amounts—never bank credentials.
  • Sensitive data is automatically sanitized before logging.
  • We use OpenAI's API with data processing agreements in place.

Data Deletion

You maintain full control over your data. When you close your account or request deletion, we remove all your personal and financial data within 30 days. Bank connections are revoked and access tokens are deleted immediately.

Security Contact

Found a security vulnerability? Please report it responsibly to: support@pocketpiggies.app