Trust

Security

How ReservWise protects your financial data — what's done, what's in flight, and how to report concerns.

Last reviewed: April 26, 2026 (Run 8 hardening pass)

You're trusting us with cashflow data — invoices, reserves, owner-draw plans, bank transactions. We take that seriously. This page is where we publish what we do, what's still in flight, and how to reach us if something looks off.

Transport & storage

  • TLS 1.2+ everywhere. All traffic to app.reservwise.com, reservwise.com, and support.reservwise.com is encrypted via Let's Encrypt certificates managed by Traefik (app) and Vercel (marketing).
  • Encryption at rest. Database backups and snapshots are encrypted. Plaid access tokens are stored with AES-256-GCM envelope encryption — wire format is base64(nonce || authTag || ciphertext) with a per-deployment master key. Tokens are decrypted only at the moment of API use and never written back in plaintext.
  • Secrets isolation. Application secrets live only in the production environment. They are never committed to source control or shared in support channels.

Access controls

  • Authentication uses NextAuth with bcrypt-hashed passwords. MFA is on the roadmap and will become required for Business-tier customers.
  • Email verification on registration. A 24-hour single-use token is mailed at sign-up; the verification flow updates the account and consumes the token in the same request. Resend is rate-aware and never confirms whether an email is on file.
  • API access for the MCP integration is per-token, scoped to a single user, and supports immediate revocation. Mint and revoke events are written to the audit log (see below).
  • Internal admin access is single-person, key-based SSH, with audit logging on the production VPS.

Audit logging

Every account-relevant action writes to a tamper-evident AuditEvent table — captured best-effort so a failed log never blocks the underlying action. We store the actor, the target, the action verb, the IP and User-Agent at the time of the event, and a small structured metadata blob.

  • Currently emitted: account registration, Plaid item exchange, MCP token mint/revoke, invoice mark-paid (UI and Stripe webhook paths), income deletion, expense deletion.
  • Roadmap: sign-in events via the NextAuth callback, password change, and SIEM forwarding for offsite shipout.
  • Where you see it: Settings → Recent activity surfaces your last 20 audit events with action, target, and relative time. We retain audit history for the lifetime of the account; deleting your user removes you as the actor (ON DELETE SET NULL) but preserves the event so audit trails stay intact for investigations.

Vendor stack

We list our subprocessors openly so you can audit the chain.

  • Plaid — bank account linking and transaction sync. Plaid privacy & security.
  • Stripe — payment processing for invoices and subscriptions. Stripe privacy.
  • OpenRouter — large-language-model routing for AI insights, transaction parsing, and screenshot OCR.
  • Hostinger VPS — application infrastructure (Docker + Postgres + Traefik).
  • Vercel — marketing-site hosting at reservwise.com.
  • Resend / Postmark / SES (TBD) — outbound transactional email. Final selection in flight.

Compliance

  • SOC 2 Type II — in progress. Controls are being formalized through 2026; readiness assessment expected by Q4.
  • GDPR / CCPA — we honor access, correction, and deletion requests. See our Privacy Policy for the full rights statement.
  • Subprocessor list — published above; we update this page when the list changes.

What's in flight

We try not to oversell. These items are publicly tracked and being shipped progressively:

  • Stripe webhook signature verification (Plaid signature verification is already enforced — unsigned webhooks return 401).
  • Notification + cron secret enforcement (cron routes already require X-Cron-Secret in production).
  • SIEM forwarding for the audit log.
  • SOC 2 Type II readiness.
  • MFA for all customer accounts.

Responsible disclosure

If you find a vulnerability, please email security@reservwise.com with a description, reproduction steps, and your assessment of impact. We commit to:

  • Acknowledge receipt within 2 business days.
  • Investigate and respond with a status within 7 business days.
  • Credit you publicly if you'd like (and not if you wouldn't).
  • Not take legal action against good-faith research that follows this policy.

Contact

Security questions or compliance requests: security@reservwise.com.