Security

Your money data, locked down.

Financial data is sensitive. Here's how we protect yours — in plain language, not marketing speak.

Encryption everywhere

All data in transit uses TLS 1.3. Data at rest is encrypted with AES-256. Your password is never stored — only a salted bcrypt hash.

Authentication

Secure session tokens with automatic expiry. Password reset links are single-use and expire in 1 hour. We support Google OAuth for passwordless sign-in.

Infrastructure

Your data lives in a SOC 2 Type II certified data centre. Database access requires multi-factor authentication. Automated backups run daily.

Zero data selling

We have never sold user data and never will. Employees access user data only to resolve support tickets, with logged audit trails.

Password security

Cashy requires passwords of at least 8 characters. We enforce this at signup and at password change. Passwords are hashed using bcrypt with a per-user salt before storage — we cannot see your password, ever.

If you forget your password, a reset link is sent to your email. Links are single-use, expire in 1 hour, and are invalidated after use or after account re-login.

Session security

  • Sessions use secure, httpOnly cookies — inaccessible to JavaScript
  • Signing out from any device invalidates the session server-side
  • Sessions expire automatically after inactivity
  • Opening the app in multiple tabs uses the same session safely

What data we never have

  • Your bank login credentials — we never ask for them
  • Direct access to your bank accounts
  • Payment card numbers
  • Government ID numbers

Cashy is manual-entry only. You choose exactly what to add.

Responsible disclosure

Found a security vulnerability? Please report it privately to security@cashy.app. We will acknowledge within 24 hours and work to resolve confirmed issues within 30 days. We do not pursue legal action against good-faith security researchers.