Security

CashFlow Pro connects to your bank account and handles your financial data. Here's exactly how we protect it.

Read-only bank access

When you connect your bank, CashFlow Pro can only read your transaction history — it cannot move money, initiate transfers, or modify your account in any way. This is enforced at the connection level by Plaid, not just a policy.

256-bit encryption in transit

All data sent between your device and our servers is encrypted using TLS 1.2+. We enforce HTTPS everywhere — no fallback to unencrypted connections.

Encrypted at rest

Your data is stored on Supabase infrastructure, which encrypts all data at rest using AES-256. Your transactions, account details, and financial records are never stored in plaintext.

We never see your bank credentials

Bank connections go through Stripe Financial Connections, a SOC 2 certified service built by Stripe. Your username, password, and MFA codes go directly to Stripe — CashFlow Pro never handles or stores them.

Two-factor authentication

You can enable SMS-based two-factor authentication on your account. When enabled, every login requires both your password and a one-time code sent to your phone.

Your data is never sold

We do not sell, rent, or share your financial data with advertisers or data brokers — ever. Your data is used solely to provide the CashFlow Pro service to you.

Built on trusted infrastructure

Stripe

Bank connectivity and billing — PCI DSS Level 1 certified; your bank credentials and card data never touch CashFlow Pro's servers

Supabase

Database and authentication — SOC 2 Type II certified, encrypted at rest and in transit

Vercel

Hosting and edge network — SOC 2 Type II certified, DDoS protected, global CDN

Security question or concern? support@cashflowproapp.com