Last reviewed: May 2026

Security

Finding Wealth is built to protect your financial data. This page describes the controls we have in place, what we genuinely do, and where our current limitations are. We do not make claims we cannot back up.

How we protect your bank connections

Bank account connections are powered by Plaid Technologies, Inc., a regulated financial data platform. When you connect an account:

Your banking credentials are entered directly into Plaid's encrypted interface — they never touch Finding Wealth's servers.

Plaid provides us a read-only access token. We cannot initiate payments, transfers, or any write operations.

Access tokens are encrypted at rest using AES-256-GCM with a separate application-layer encryption key before being stored in our database.

You can revoke access and disconnect any linked account at any time from the Live Accounts page. This immediately removes all associated data.

Your financial data is used only to operate the service — it is never sold or used for advertising.

Encryption and data protection

All data is transmitted over HTTPS using TLS 1.2 or higher.

HTTP Strict Transport Security (HSTS) is enabled, ensuring browsers always connect securely.

Data at rest is encrypted at the infrastructure layer via Supabase (PostgreSQL on AWS).

Plaid access tokens receive a second application-layer encryption pass (AES-256-GCM).

All secrets (API keys, encryption keys, service credentials) are stored as server-only environment variables — never embedded in the browser bundle.

Authentication and access control

All authenticated routes require a valid server-verified session — unauthenticated requests are redirected to sign-in.

Every API endpoint independently verifies the session before returning or modifying any data.

Database queries are scoped by user ID — users cannot access each other's data.

Row-Level Security (RLS) is enforced at the Supabase/PostgreSQL layer as defence-in-depth.

TOTP authenticator app MFA is deployed and available to all users. Works with Google Authenticator, Authy, 1Password, Microsoft Authenticator, and any TOTP-compatible app.

MFA backup / recovery codes: 10 one-time codes are generated on enrollment, hashed with scrypt, and shown once. A single code can recover account access and prompts MFA re-enrollment.

Google OAuth sign-in is available — no password is stored by Finding Wealth when using this method.

Users can sign out of all active sessions globally from Account Center → Security.

Browser and network security

Content Security Policy (CSP) restricts which scripts, frames, and external resources the browser may load.

Clickjacking is prevented via X-Frame-Options: DENY and CSP frame-ancestors restrictions.

Referrer-Policy limits URL information shared with third-party origins.

Permissions-Policy disables camera, microphone, geolocation, and interest-cohort browser features.

Data deletion and account removal

You can delete your Finding Wealth account at any time from Account Center → Settings → Delete Account. Deletion:

Immediately revokes all Plaid access tokens and stops data syncing.

Removes all your financial data, linked accounts, transactions, budgets, goals, and account records from our database.

Removes your authentication record — your email and password are no longer held by Finding Wealth.

For a manual data deletion request, email privacy@findingwealth.ca.

Error monitoring

We use Sentry to capture runtime errors and performance issues. Sentry is configured to scrub cookies, authentication headers, and personally identifiable information from error payloads before transmission. Error data is used solely for diagnosing and fixing software issues.

What we do not have (honest disclosure)

We believe you deserve an accurate picture of our security maturity. The following are not currently in place:

SOC 2 or ISO 27001 certification — we apply many of these practices but are not certified.
Mandatory MFA — two-factor authentication is deployed and user-available; it is not enforced at login for all users.
Third-party penetration testing — not yet conducted.
A dedicated security team — security is reviewed by our engineers.

We are committed to improving our security posture as the platform grows.

Reporting a vulnerability

If you discover a security issue, please report it responsibly to privacy@findingwealth.ca before public disclosure. Include a description of the issue and steps to reproduce. We will acknowledge receipt within 5 business days and keep you informed of our progress.

Subprocessors

Finding Wealth uses the following third-party services that may process your data:

Subprocessor	Purpose
Supabase	Database, authentication, storage
Vercel	Hosting, CDN, edge network
Plaid Technologies, Inc.	Bank account connectivity (read-only)
Stripe, Inc.	Payment processing
PayPal Holdings, Inc.	Payment processing
Anthropic, PBC	AI coach (Horizon AI)
Sentry	Error monitoring
Google LLC	Optional OAuth sign-in

Questions? Email privacy@findingwealth.ca