Security is foundational to TreasuryFlow. Your exact transaction amounts are encrypted and delivered securely to your Excel ledger for precise reconciliation. Our internal systems — logs, categorization, and ML pipelines — only ever see privacy-preserving magnitude buckets, never your penny values.
SOC 2 Type 1 in progress.
Q3 2026 target. We will publish the report and a status page when audit completes.
Exact amounts are securely stored and delivered to your ledger via authenticated API. Our categorization engine only sees logarithmic magnitude buckets — your penny values never enter logs or ML.
API Key Authentication
API tokens are SHA-256 hashed with 256-bit entropy keys (brute-force infeasible). Raw tokens are never stored in our database.
Plaid for bank connectivity
Bank connectivity via Plaid (the same infrastructure Venmo and Robinhood use). Your banking credentials never touch our servers.
Rate Limiting
Public endpoints are rate-limited to prevent abuse. Automated scraping is blocked.
Plaid Token Encryption
Plaid access tokens are encrypted at rest using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256). Raw tokens never appear in the database, logs, or backups.
Multi-Tenant Isolation
All database queries are scoped to the authenticated user's ID. No administrative endpoints exist that can access another tenant's financial data.
Error Monitoring
Production errors are tracked via Sentry with automatic PII filtering. Request bodies and auth headers are stripped before transmission.
Bank Re-Authentication
When bank connections expire, Plaid webhooks automatically flag the issue and users can seamlessly re-authenticate without re-entering credentials.
Data Protection Layers
Magnitude Bucketing (Categorization Only)
Every transaction passes through our get_magnitude_bucket() function at ingestion for categorization. The exact amount is securely stored and delivered to your Excel ledger for cross-bank reconciliation; the bucket is used only by our internal ML and categorization engines:
MICRO: Less than $10
SMALL: $10 – $100
MEDIUM: $100 – $1,000
LARGE: $1,000 – $10,000
XLARGE: Greater than $10,000
Log & ML Isolation
Exact dollar amounts never appear in application logs, error reports, or ML training data. Only magnitude buckets are used for categorization and analytics, ensuring your financial details remain private even at the infrastructure level.
Authentication
Every data endpoint requires a valid API token via Authorization: Bearer header
API tokens use 32 bytes of cryptographic randomness for maximum security
Tokens are stored as cryptographic hashes — the raw token is shown once at signup and never again
Tokens have 256 bits of entropy (via secrets.token_urlsafe), making brute-force infeasible
Data Isolation
All database queries are scoped to the authenticated user's ID
No admin endpoints exist that can access another user's data
User A can never see User B's transactions, forecasts, or profile
Logging & Monitoring
Structured logging with request IDs — never financial data
No transaction amounts, merchant names, or account numbers in logs
Error responses never expose stack traces or internal paths
Infrastructure Security
HTTPS-only communication (HSTS enforced)
CORS origins restricted to production and development domains
Rate limiting on signup and waitlist endpoints to prevent abuse
Stripe webhook signature verification to prevent spoofing
X-Frame-Options: DENY and X-Content-Type-Options: nosniff headers
Responsible Disclosure
If you discover a security vulnerability, please report it to security@pantollventures.com. We will respond within 48 hours and work with you to address the issue promptly.