Security

Finance Frank handles sensitive financial data. We take security seriously and have implemented multiple layers of protection to keep your information safe.

Last updated: 22 February 2026

Infrastructure

Hosting

Backend runs on Railway (SOC 2 Type II compliant). Frontend served via Vercel's global CDN with automatic HTTPS.

Database

All data stored in Supabase (built on PostgreSQL) with encryption at rest (AES-256) and in transit (TLS 1.2+).

Payments

Payment processing handled entirely by Stripe (PCI-DSS Level 1 compliant). We never store, process, or have access to your credit card details.

Data encryption

In transit

All connections use TLS/HTTPS. HTTP requests are automatically upgraded to HTTPS.

At rest

Database-level encryption (AES-256) for all stored data.

Sensitive fields

Highly sensitive information such as Tax File Numbers is encrypted with Fernet (AES-128-CBC with HMAC-SHA256) before storage, providing an additional layer of protection beyond database-level encryption.

Authentication and access control

Password hashing — Passwords are hashed using bcrypt via Supabase Auth. We never store plaintext passwords.

JWT authentication — Session tokens are short-lived JWTs with automatic expiry and refresh.

Row-level security (RLS) — PostgreSQL RLS policies ensure users can only access their own data at the database level, regardless of application logic.

Admin access — Administrative endpoints require a specific admin user ID and are not accessible to regular users.

Application security

Input sanitisation — All user inputs are sanitised to prevent injection attacks (SQL injection, XSS, etc.).

Rate limiting — API endpoints are rate-limited to prevent abuse and brute-force attacks.

Content Security Policy — Strict CSP headers prevent cross-site scripting and unauthorised resource loading.

Security headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and other headers prevent common web attacks.

CORS — Cross-origin requests are restricted to authorised domains only.

Audit logging — API access is logged for security monitoring and incident investigation.

AI and data privacy

AI provider

Frank is powered by Anthropic Claude. Financial context is sent to Anthropic solely to generate responses.

No training on your data

Anthropic does not use API inputs to train their models. Your financial data is not used for AI training.

Minimal context

Only relevant financial data is included in AI requests, not your entire dataset.

Data isolation

Row-level isolation — Each user’s data is logically isolated through PostgreSQL row-level security.

Entity permissions — Entity-level permissions allow controlled sharing between users (e.g. accountant access) without exposing other data.

API key protection — Service-level API keys are never exposed to the client.

Incident response

In the event of a security incident:

We follow the Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act 1988.

Affected users will be notified via email as soon as practicable.

The Office of the Australian Information Commissioner (OAIC) will be notified where required.

We will take immediate steps to contain the breach and mitigate harm.

Responsible disclosure

If you discover a security vulnerability in Finance Frank, please report it responsibly. Contact us at security@financefrank.ai. We ask that you:

Do not publicly disclose the vulnerability before we have had a chance to address it.

Provide sufficient detail for us to reproduce and fix the issue.

Do not access or modify other users’ data.

We appreciate responsible disclosure and will acknowledge your contribution.

Questions about our security?

If you have questions about our security practices, contact us at:

security@financefrank.ai