Built for trust, from the database up.
A finance product has a higher bar. Here's exactly how your data is protected.
Encrypted, always
Bank access tokens are encrypted at rest with AES-256-GCM and bound to your account, so they can't be reused elsewhere. Traffic is TLS-only with HSTS.
Read-only banking
We connect through Plaid with read-only access. MoneyWealth AI can see your transactions and balances — it can never move, send or withdraw your money.
Isolated by design
Every record is isolated at the database level with row-level security, so your data is only ever reachable in your own context — defense in depth, not just app logic.
Tokens never exposed
Your session's access token lives in memory only; the refresh token is an httpOnly cookie unreadable by scripts. We never put credentials in storage or URLs.
Hardened web layer
A strict, nonce-based Content-Security-Policy blocks script injection, with clickjacking, MIME-sniffing and referrer protections on every response.
Grounded AI
Advice AI answers only from your data and cites what it used. It can't be prompted into leaking another user's information.
Your data, your call
Export your data anytime. Deleting your account disconnects your banks at Plaid and purges your data — no quiet retention.
Responsible disclosure
Found something? We welcome reports from security researchers. Email security@moneywealth.aiand we'll respond promptly.