Version 1.0 — Last updated: February 2026
How we protect your financial data
Encryption
- In transit: All data encrypted in transit using industry-standard transport encryption. No unencrypted connections accepted.
- At rest: Database encrypted at rest using industry-standard encryption.
- API keys: Sensitive keys stored as server-side secrets, never exposed to the browser. Database access governed by database-level access control policies.
Authentication & Access
- Multi-Factor Authentication: MFA available for all users via authenticator apps
- Role-Based Access Control: Multiple roles with principle of least privilege
- Data Isolation: Database-level policies ensure users only access their organisation's data
- Session management: Short-lived tokens with automatic refresh
Audit Trail
- Cryptographic audit trail: Every record modification is cryptographically verified, creating a tamper-evident log
- Append-only logging: Audit entries cannot be modified or deleted by any user
- Full history: Who changed what, when, with integrity verification
Infrastructure
- Hosting: SOC 2 Type II certified cloud infrastructure
- Content Security Policy: Strict CSP headers prevent injection attacks
- Rate limiting: Rate limits protect against overuse
- Error monitoring: Real-time error tracking (no financial data included in reports)
AI Processing
- Receipt images are sent to AI providers via secure server-side infrastructure only
- Images are processed in memory and not stored by AI providers
- No AI model is trained on your data
Responsible Disclosure
If you discover a security vulnerability, please report it to [email protected]. We commit to:
- Acknowledging your report within 2 business days
- Providing a timeline for resolution within 5 business days
- Not pursuing legal action against good-faith security researchers
- Crediting researchers (with permission) in our security changelog