Security is foundational to TreasuryFlow. Your exact transaction amounts are encrypted and delivered securely to your Excel ledger for precise reconciliation. Our internal systems — logs, categorization, and ML pipelines — only ever see privacy-preserving magnitude buckets, never your penny values.
Runs on SOC 2 Type II–compliant infrastructure (Google Cloud).
TreasuryFlow is not independently SOC 2 certified yet — we’re happy to share our subprocessor list and security questionnaire for vendor reviews.
Trusted with real money, every day.
“TreasuryFlow is a powerful solution that provides bank account consolidation, dynamic reporting, data visualization and forecasting that your bank can’t offer. Any finance professional responsible for cash flow management would benefit from it.” — Matt Picciano, CFO, Bonney Plumbing. Bank connectivity is handled by Plaid — the same infrastructure Venmo and Robinhood use — so your banking credentials never touch our servers.
Exact amounts are securely stored and delivered to your ledger via authenticated API. Our categorization engine only sees logarithmic magnitude buckets — your penny values never enter our logs or ML training. The on-demand treasury assistant works on your real figures to answer your questions, and every number traces back to a source bank line you can verify.
API Key Authentication
API tokens are one-way hashed before storage (brute-force infeasible). Raw tokens are never stored in our database.
Plaid for bank connectivity
Bank connectivity via Plaid (the same infrastructure Venmo and Robinhood use). Your banking credentials never touch our servers. Up to 24 months of transaction history imports at connect, so your forecast starts with real depth on day one.
Verified Bank Webhooks
Every Plaid webhook we receive is cryptographically signed and verified before a single byte is processed — a spoofed update can never touch your data.
Rate Limiting
Public endpoints are rate-limited to prevent abuse. Automated scraping is blocked.
Plaid Token Encryption
Plaid access tokens are encrypted at rest and in transit. Raw tokens never appear in the database, logs, or backups.
Multi-Tenant Isolation
All database queries are scoped to the authenticated user's ID. No administrative endpoints exist that can access another tenant's financial data.
Error Monitoring
Production errors are tracked via Sentry with automatic PII filtering. Request bodies and auth headers are stripped before transmission.
Bank Re-Authentication
When bank connections expire, Plaid webhooks automatically flag the issue and users can seamlessly re-authenticate without re-entering credentials.
Verify it yourself
A live attestation generated from our code — not marketing. View trust page →
Data Protection Layers
Magnitude Bucketing (Categorization Only)
Every transaction passes through our get_magnitude_bucket() function at ingestion for categorization. The exact amount is securely stored and delivered to your Excel ledger for cross-bank reconciliation; the bucket is used only by our internal ML and categorization engines:
MICRO: Less than $10
SMALL: $10 – $100
MEDIUM: $100 – $1,000
LARGE: $1,000 – $10,000
XLARGE: Greater than $10,000
Log & ML Isolation
Exact dollar amounts never appear in application logs, error reports, or ML training data. Only magnitude buckets are used for categorization and analytics, ensuring your financial details remain private even at the infrastructure level.
Authentication
Every data endpoint requires a valid API token via Authorization: Bearer header
API tokens use 32 bytes of cryptographic randomness for maximum security
Tokens are stored as cryptographic hashes — the raw token is shown once at signup and never again
Tokens have 256 bits of entropy (via secrets.token_urlsafe), making brute-force infeasible
Data Isolation
All database queries are scoped to the authenticated user's ID
No admin endpoints exist that can access another user's data
User A can never see User B's transactions, forecasts, or profile
Logging & Monitoring
Structured logging with request IDs — never financial data
No transaction amounts, merchant names, or account numbers in logs
Error responses never expose stack traces or internal paths
Infrastructure Security
HTTPS-only communication (HSTS enforced)
CORS origins restricted to production and development domains
Rate limiting on signup and waitlist endpoints to prevent abuse
Stripe webhook signature verification to prevent spoofing
Plaid webhook signature verification — every bank-event webhook is cryptographically signed and verified before processing
X-Frame-Options: DENY and X-Content-Type-Options: nosniff headers
Responsible Disclosure
If you discover a security vulnerability, please report it to security@treasuryflow.ai. We will respond within 48 hours and work with you to address the issue promptly.