Security at Stack App

Plain-English summary

We never see or store your bank password. Bank connections are handled by Plaid — the same provider trusted by Venmo, Robinhood, Coinbase, Chime, and most major fintechs. Your data is encrypted in transit (TLS 1.2+) and at rest, sits behind row-level access controls so even our database queries can't cross-read another user's rows, and is fully deletable on request. We are a small team and we don't pretend to be SOC 2 certified yet — but we built every layer below as if we were going to be audited next quarter.

• You authenticate directly with your bank inside Plaid's secure widget. Stack App never sees your bank username or password.
• Plaid returns a short-lived token. We exchange it server-side for a long-lived access token used only to fetch transactions and balances. The token can be revoked by you at any time from /dashboard/settings.
• We request only the products we actually use — transactions, balances, and liabilities. We do not request authentication, identity verification, or wire transfer permissions.
• Disconnecting an account from inside Stack App immediately calls Plaid's item/remove endpoint so the connection is terminated on Plaid's side as well as ours.

• In transit: All traffic uses TLS 1.2 or higher. HSTS is enabled with preload, so browsers refuse to talk to us over plain HTTP.
• At rest: Your account data lives in Supabase Postgres on AWS, encrypted at the disk level. File uploads (receipts, paystubs) live in Supabase Storage with the same protection.
• Social Security Numbers and EINs: Stack App does not collect taxpayer ID numbers from you or from your contractors at this time. The W-9 / 1099 contractor-collection flow is intentionally turned off for our public launch while we evaluate moving that workflow to a specialist partner so a third-party that handles tax IDs every day owns that risk surface, not us. When we re-enable it, the encryption layer is already built — AES-256-GCM with a dedicated production key, separate from any other database credential.
• Secrets (Stripe, Plaid, Supabase, encryption keys) live in Vercel's production environment vault. They are never committed to git, never logged, and never shipped to the browser.

• Every user-owned table in our database is protected by Postgres Row-Level Security. A query for one user's data physically cannot return another user's rows, even if there's a bug in our application code.
• API routes are default-deny. Public endpoints are explicitly allow-listed and each enforces its own authentication (session cookie, signed Plaid webhook, Stripe webhook signature, or one-time link token).
• Rate limits sit in front of every public-facing endpoint (Plaid OAuth state, waitlist, password reset) to make abuse uneconomic.
• When your trial ends and you don't subscribe, a database-level paywall takes effect — your data is preserved, but no API request can read it until you subscribe again. This is enforced at the storage layer, not just the UI.

• The Postgres database is backed up daily by Supabase with a 7-day retention window, stored in isolated systems and used solely for disaster recovery.
• Your uploaded files (receipts, paystubs) are mirrored nightly to an independent Backblaze B2 bucket. If Supabase storage were ever lost, we can restore from the off-platform copy.
• Deleted files have a 30-day grace window — you can restore them from /dashboard/settings/recently-deleted before they are permanently purged.

You can request account deletion from /dashboard/settings. We immediately revoke your Plaid connections and cancel any active Stripe subscription, and your account enters a 30-day grace window during which you can change your mind. After the grace window, your transactions, profile, and uploaded files are permanently purged. A small audit log row is retained to satisfy our legal obligations under GDPR / CCPA.

If you believe you've found a security issue, please email security@jamesmarinofinance.com with reproduction steps and the impact you observed. We will acknowledge within two business days. Please do not test against other users' data, and please give us a reasonable window to remediate before public disclosure.

What we're not (yet)

Stack App is an independent product, not a chartered bank. We do not hold deposits, issue cards, or move money. We are not currently SOC 2 or PCI-DSS certified, and we don't pretend to be. We've built the foundation — encryption, least-privilege access, audited backups, deletion lifecycle — so a future audit would have a real story to tell. If your employer requires a formal security questionnaire before you can use a tool with bank data, please reach out and we'll work through it.