Finance OSarrow_backBack to home

Infrastructure

Security

Last updated: April 14, 2026

Security posture

Finance OS takes the security of financial data seriously. This page describes the current security measures in place and areas where hardening is still in progress. This is an honest assessment — not a marketing page.

What is in place today

  • HTTPS everywhere — All traffic between the browser and Finance OS is encrypted via TLS. Vercel enforces HTTPS on all routes.
  • Managed infrastructure — The database and file storage run on Supabase, which provides managed PostgreSQL with encryption at rest and in transit.
  • Environment isolation — Sensitive credentials (database URLs, API keys) are stored as environment variables and never committed to the repository.
  • Session cookies — Authentication cookies are set with httpOnly, sameSite=lax, and secure flags in production, with an 8-hour expiration.
  • Build verification — GitHub Actions runs a build check on every push to catch regressions before deployment.

What is not yet in place

The following security measures are planned but not yet implemented. This section exists to be transparent about current limitations:

  • Production authentication — The app currently uses a prototype cookie-based session. Production auth with Supabase Auth (including proper password hashing, invite flows, and MFA) is planned.
  • Row-level security (RLS) — Supabase RLS policies are not yet the effective access control boundary. Server routes currently use service-role access.
  • Audit logging — A comprehensive audit event chain for all writes and access is not yet implemented.
  • Rate limiting — API routes do not currently enforce rate limits.
  • Plaid token security — A finalized secure storage model for Plaid access tokens has not been implemented. Plaid integration is currently sandbox-only.
  • Content Security Policy — CSP headers are not yet configured.
  • Penetration testing — No formal security audit or penetration test has been conducted.

Infrastructure providers

Vercel

Application hosting. Provides automatic HTTPS, DDoS protection, and edge network distribution.

Supabase

Database and file storage. Provides managed PostgreSQL with encryption at rest (AES-256), automated backups, and network isolation.

Plaid

Bank connectivity (sandbox only). SOC 2 Type II certified. No production bank data flows through Plaid at this time.

Responsible disclosure

If you discover a security vulnerability in Finance OS, please contact the system operator directly. Do not disclose vulnerabilities publicly before they have been addressed.