Skip to content
Security

Built for trust, from the database up.

A finance product has a higher bar. Here's exactly how your data is protected.

Encrypted, always

Bank access tokens are encrypted at rest with AES-256-GCM and bound to your account, so they can't be reused elsewhere. Traffic is TLS-only with HSTS.

Read-only banking

We connect through Plaid with read-only access. MoneyWealth AI can see your transactions and balances — it can never move, send or withdraw your money.

Isolated by design

Every record is isolated at the database level with row-level security, so your data is only ever reachable in your own context — defense in depth, not just app logic.

Tokens never exposed

Your session's access token lives in memory only; the refresh token is an httpOnly cookie unreadable by scripts. We never put credentials in storage or URLs.

Hardened web layer

A strict, nonce-based Content-Security-Policy blocks script injection, with clickjacking, MIME-sniffing and referrer protections on every response.

Grounded AI

The advisor answers only from your data and cites what it used. It can't be prompted into leaking another user's information.

Your data, your call

Export your data anytime. Deleting your account disconnects your banks at Plaid and purges your data — no quiet retention.

Responsible disclosure

Found something? We welcome reports from security researchers. Email security@moneywealth.aiand we'll respond promptly.