Security

Your financial data is among the most sensitive information you hold. Here's exactly how aiSmartBudget protects it.

Access Controls

Every layer of aiSmartBudget is designed so that only you can see your data:

• All user authentication requires both a password and a TOTP-based second factor (MFA). You cannot access the application without completing MFA enrollment.
• Database access is governed by Row Level Security (RLS) policies on all tables. Users can only read and write their own data — it is impossible for one user's data to appear in another user's session.
• Admin-level database access is restricted to server-side API routes only and is never exposed to the client.
• Rate limiting is enforced on all authentication endpoints (10 requests per minute per IP) to mitigate brute force attacks.
• All file uploads are validated server-side for authentication level (MFA required), MIME type, file size (10MB maximum), and filename sanitization before storage.

Encryption

In Transit

All data in transit is encrypted using TLS 1.2 or higher. HTTPS is enforced across all application endpoints via Vercel's edge network. Supabase API connections are TLS-encrypted by default.

At Rest

All data at rest is encrypted by Supabase (PostgreSQL on AWS), which provides AES-256 encryption at the storage layer. This covers your transaction history, budget rules, account data, and financial goals. PDF bank statements are never stored — they are scanned once to extract your transactions and permanently deleted from our servers immediately after processing.

Infrastructure

We build on infrastructure providers held to the highest security standards:

• Vercel — Application hosting (SOC 2 Type II certified)
• Supabase — Database and storage (PostgreSQL on AWS, SOC 2 Type II certified)
• GitHub — Source code in a private repository, access restricted to authorized contributors

No production data is used in development or testing environments.

Your Banking Credentials

aiSmartBudget never sees or stores your bank username or password. Today, financial data is imported by uploading a PDF bank statement directly — no account linking or credential sharing of any kind is required. A future release may offer optional direct bank connectivity as a convenience feature. If and when that is available, it will be handled through an industry-standard, SOC 2 compliant financial data provider offering read-only access to your transaction history and balances, with no ability to move money or initiate transactions. No commitment to a specific provider has been made.

Data Sharing

aiSmartBudget does not sell, share, license, or transfer your consumer financial data to any third party for any purpose. Your financial data is used solely to provide the aiSmartBudget service to you. Our infrastructure partners (Supabase, Vercel) are evaluated for SOC 2 compliance and data processing agreements are maintained where applicable.

Incident Response

In the event of a suspected or confirmed security incident involving consumer data, we will:

• Immediately isolate affected systems and revoke compromised credentials.
• Assess the scope and nature of the incident within 24 hours.
• Notify affected users within 72 hours of a confirmed breach, consistent with applicable data breach notification laws.
• Document the incident, root cause, and remediation steps.

Vulnerability Management

Security vulnerabilities in application dependencies are identified through automated alerts (GitHub Dependabot) and addressed promptly. Critical vulnerabilities are remediated within 48 hours of discovery.

Report a Security Issue

If you discover a security vulnerability or suspect unauthorized access to your account, please contact us immediately at aismartbudget@gmail.com. We take all reports seriously and will respond promptly.