Flowsight

Security

How Flowsight protects your data. Last reviewed: April 29, 2026.

Security Policy (PDF)Access Controls Policy (PDF)

Flowsight handles sensitive financial data. We follow the principle of least privilege at every layer: every component sees the minimum data it needs, and credentials are isolated by environment. This page is a plain-English summary of our security controls.

Authentication

  • All sign-in is via Google OAuth (NextAuth). Flowsight never sees or stores passwords.
  • Sessions are stateless JWTs signed with a server-side secret.
  • Bank credentials are entered into Plaid Link, an iframe served directly by Plaid. They never enter Flowsight servers.

Data in transit

  • HTTPS / TLS 1.2+ on every connection (terminated by Vercel).
  • Server-to-Plaid, server-to-Supabase, and server-to-Anthropic calls all use TLS with certificate validation.
  • Server-rendered by default — sensitive data is computed on the server and rendered into HTML rather than fetched by client-side JavaScript.

Data at rest

  • Stored in a managed Postgres database (Supabase). Disks are encrypted at rest by the provider.
  • Database access uses the new Supabase secret-key API scheme (sb_secret_...), held only on Vercel servers as an encrypted environment variable. The publishable key is scoped for client-safe operations only.
  • Plaid access tokens are stored server-side only and never sent to the browser.

Secret management

  • All secrets — Plaid client/secret, Anthropic API key, Resend API key, Google OAuth client secret, Supabase secret key, NextAuth secret, cron secret — live as encrypted environment variables in Vercel.
  • No secret is ever committed to source control. The repository is private. .gitignore excludes.env files.

Authorization

  • Every API route checks the NextAuth session before touching user data. Database queries always filter by user_id from the verified session, never from request input.
  • Cron endpoints (Plaid sync, daily brief) require a Bearer token matching CRON_SECRET.
  • AI chat tools are factory-bound to the signed-in user's ID at request time, so the model cannot query other users' data even if it tries.

Sub-processor security

  • Plaid is a SOC 2 Type 2 and ISO 27001 certified provider. Bank credentials never reach Flowsight.
  • Supabase is SOC 2 Type 2 certified; data is in a managed Postgres with daily backups.
  • Vercel is SOC 2 Type 2 certified; we deploy on their managed serverless platform.
  • Anthropic does not train on API data by default, and provides SOC 2 Type 2 attestations.
  • Resend is used only for outbound transactional emails (the daily brief, when opted in).

Logging

  • We do not log raw transaction descriptions, account numbers, or balances.
  • Operational logs (request paths, status codes, error messages) are kept by Vercel for 24 hours by default and are accessible only to the developer.

Vulnerability handling

If you discover a security issue, please email hugocodes1997@gmail.com before disclosing publicly. We aim to acknowledge within 48 hours and to remediate or mitigate within a timeline appropriate to severity.

We monitor dependency vulnerabilities via npm audit and GitHub Dependabot. Critical patches are prioritized.

Incident response

In the event of a confirmed security incident affecting your data, we will notify affected users by email within 72 hours of confirming the incident, describe what was affected, and outline remediation steps. As a single-developer service, the operator is the responder.

Contact

Security questions or vulnerability reports: hugocodes1997@gmail.com