Your data is safe.
Here's exactly how.
Nautilius Money is built on a deliberate principle: sensitive financial data should live inside certified infrastructure, not ours. We connect the pipes โ Plaid, Supabase, and Stripe hold the data and carry the certifications.
- โOAuth-based connection โ you log in directly with your bank, not with us
- โNautilius Money receives a secure access token, never your username or password
- โWe request read-only transaction data only โ no account or routing numbers imported
- โPayment initiation products are not enabled, making fund movement architecturally impossible
- โAES-256 encryption at rest; TLS 1.3 in transit on every request
- โRow-Level Security (RLS) enforced at the database layer โ one user can never read another's data
- โData hosted in US-East region; no cross-border transfers
- โAutomated backups with point-in-time recovery
- โAll payment processing handled entirely within Stripe's PCI-certified environment
- โNautilius Money never sees, stores, or logs your card number, CVV, or billing details
- โSubscription tokens are the only payment reference stored on our side
- โStripe Radar fraud protection active on all transactions
Security built into the architecture
These aren't policies or promises โ they're constraints enforced by how the system is built.
What Nautilius Money will never do
These aren't buried in a terms of service. They're architectural decisions we've made permanent.
SOC 2 audits a company's internal systems and processes for handling sensitive data. Nautilius Money is designed so that the data requiring that level of oversight โ bank credentials, card numbers, account numbers โ never enters our systems in the first place.
The infrastructure partners we rely on (Plaid, Supabase, Stripe) each hold SOC 2 Type II certification and undergo independent annual audits. Our architecture is intentionally designed to keep Nautilius Money outside the scope of data that would require our own certification. As the product grows, we will pursue additional certifications where they add genuine user protection โ not just compliance theater.