Security

Last updated: April 2026

At wiz≡r, protecting your financial data is our highest priority. This page describes the technical and organizational measures we use to keep your information safe.

Authentication & Access Control

Password Security

  • Passwords are hashed using BCrypt with a cost factor of 12
  • We never store or transmit passwords in plain text
  • Passwords are validated against security best practices

Session Management

  • Authentication uses JSON Web Tokens (JWT) with HMAC-SHA256 signing
  • Sessions expire after 1 hour of inactivity
  • Tokens are validated on every API request

Multi-Factor Authentication (MFA)

wiz≡r supports Time-based One-Time Passwords (TOTP) compatible with Google Authenticator and similar apps. MFA adds an additional layer of protection to your account.

Least Privilege

Users can only access their own data. All API endpoints enforce strict user-level authorization, ensuring no user can view or modify another user's financial information.

Encryption

Data at Rest

  • Sensitive data is encrypted using AES-256-GCM
  • Encryption keys are securely managed and never stored alongside encrypted data
  • On mobile devices, credentials are stored using platform-native secure storage (iOS Keychain, Android EncryptedSharedPreferences)

Data in Transit

  • All communications use TLS 1.2 or higher
  • API endpoints enforce HTTPS-only connections
  • Certificate validation is enforced on all connections

Plaid Integration Security

We never see or store your bank login credentials.

Bank authentication is handled entirely by Plaid, which maintains SOC 2 Type II compliance and uses bank-level security.

  • Plaid access tokens are encrypted at rest on our servers
  • Tokens are never exposed to client applications
  • Only the minimum required data products (transactions, accounts) are requested
  • You can revoke bank access at any time by unlinking your accounts

Data Protection

  • Personal financial information is never logged in plain text
  • Database files are excluded from version control
  • Security-relevant code changes are reviewed before deployment

Security Scanning & Assessment

We perform regular automated security assessments using industry-standard tools. Our most recent assessment (April 2026) achieved:

A+
SSL Labs Grade
0
Vulnerabilities Found
58
Security Checks Passed
8/8
Security Headers
  • OWASP ZAP: Automated baseline scans against web application and API — 0 failures
  • SSL/TLS: A+ grade from Qualys SSL Labs — TLS 1.2+ enforced
  • Security Headers: Full suite (HSTS, CSP, X-Frame-Options, Permissions-Policy, and more)
  • CORS: Restricted to authorized origins only
  • Rate Limiting: Authentication endpoints protected against brute-force attacks
  • Injection/XSS: SQL injection and cross-site scripting tested and blocked
  • Cloudflare WAF: Web Application Firewall with Bot Fight Mode for real-time threat protection

Incident Response

In the event of a security incident, we follow a structured response process:

  • Immediately assess the scope and impact
  • Contain the incident to prevent further damage
  • Preserve evidence for investigation
  • Notify affected users if personal data is compromised
  • Report to Plaid if the incident involves Plaid-related data
  • Document lessons learned and implement preventive measures

Data Retention & Deletion

Retention Periods

  • User account data: duration of account + 30 days
  • Financial transactions: up to 7 years (tax/audit compliance)
  • Application logs: 90 days
  • Backup files: 30 days rolling

Account Deletion

When you delete your account:

  • Plaid access tokens are revoked via API
  • All personal data is removed from the database
  • Local device storage is cleared
  • Deletion is immediate and irreversible

Your Security Responsibilities

  • Use a strong, unique password for your wiz≡r account
  • Enable multi-factor authentication for added protection
  • Keep your device and operating system up to date
  • Do not share your account credentials with anyone
  • Log out when using shared devices