Trust

Security

How ReservWise protects your financial data — what's done, what's in flight, and how to report concerns.

Last reviewed: April 26, 2026

You're trusting us with cashflow data — invoices, reserves, owner-draw plans, bank transactions. We take that seriously. This page is where we publish what we do, what's still in flight, and how to reach us if something looks off.

Transport & storage

  • TLS 1.2+ everywhere. All traffic to app.reservwise.com, reservwise.com, and support.reservwise.com is encrypted via Let's Encrypt certificates managed by Traefik (app) and Vercel (marketing).
  • Encryption at rest. Database backups and snapshots are encrypted. Plaid access tokens are moving to envelope encryption (libsodium secretbox) as part of our production hardening track — track status on our public GitHub org.
  • Secrets isolation. Application secrets live only in the production environment. They are never committed to source control or shared in support channels.

Access controls

  • Authentication uses NextAuth with bcrypt-hashed passwords. MFA is on the roadmap and will become required for Business-tier customers.
  • API access for the MCP integration is per-token, scoped to a single user, and supports immediate revocation.
  • Internal admin access is single-person, key-based SSH, with audit logging on the production VPS.

Vendor stack

We list our subprocessors openly so you can audit the chain.

  • Plaid — bank account linking and transaction sync. Plaid privacy & security.
  • Stripe — payment processing for invoices and subscriptions. Stripe privacy.
  • OpenRouter — large-language-model routing for AI insights, transaction parsing, and screenshot OCR.
  • Hostinger VPS — application infrastructure (Docker + Postgres + Traefik).
  • Vercel — marketing-site hosting at reservwise.com.
  • Resend / Postmark / SES (TBD) — outbound transactional email. Final selection in flight.

Compliance

  • SOC 2 Type II — in progress. Controls are being formalized through 2026; readiness assessment expected by Q4.
  • GDPR / CCPA — we honor access, correction, and deletion requests. See our Privacy Policy for the full rights statement.
  • Subprocessor list — published above; we update this page when the list changes.

What's in flight

We try not to oversell. These items are publicly tracked and being shipped progressively:

  • Plaid access-token envelope encryption.
  • Plaid + Stripe webhook signature verification (production hardening).
  • Notification + cron secret enforcement.
  • SOC 2 Type II readiness.
  • MFA for all customer accounts.

Responsible disclosure

If you find a vulnerability, please email security@reservwise.com with a description, reproduction steps, and your assessment of impact. We commit to:

  • Acknowledge receipt within 2 business days.
  • Investigate and respond with a status within 7 business days.
  • Credit you publicly if you'd like (and not if you wouldn't).
  • Not take legal action against good-faith research that follows this policy.

Contact

Security questions or compliance requests: security@reservwise.com.