Security & Privacy

Your data is safe.
Here's exactly how.

Nautilius Money is built on a deliberate principle: sensitive financial data should live inside certified infrastructure, not ours. We connect the pipes โ€” Plaid, Supabase, and Stripe hold the data and carry the certifications.

๐Ÿฆ
Plaid
SOC 2 Type II ยท ISO 27001
Certified
Your bank credentials never touch our servers
  • โœ“OAuth-based connection โ€” you log in directly with your bank, not with us
  • โœ“Nautilius Money receives a secure access token, never your username or password
  • โœ“We request read-only transaction data only โ€” no account or routing numbers imported
  • โœ“Payment initiation products are not enabled, making fund movement architecturally impossible
๐Ÿ—„๏ธ
Supabase
SOC 2 Type II ยท HIPAA eligible
Certified
Data encrypted at rest and in transit
  • โœ“AES-256 encryption at rest; TLS 1.3 in transit on every request
  • โœ“Row-Level Security (RLS) enforced at the database layer โ€” one user can never read another's data
  • โœ“Data hosted in US-East region; no cross-border transfers
  • โœ“Automated backups with point-in-time recovery
๐Ÿ’ณ
Stripe
PCI DSS Level 1
Certified
Card numbers never enter our systems
  • โœ“All payment processing handled entirely within Stripe's PCI-certified environment
  • โœ“Nautilius Money never sees, stores, or logs your card number, CVV, or billing details
  • โœ“Subscription tokens are the only payment reference stored on our side
  • โœ“Stripe Radar fraud protection active on all transactions
How It Works

Security built into the architecture

These aren't policies or promises โ€” they're constraints enforced by how the system is built.

๐Ÿ”‘
Zero credential storage
We never store bank usernames, passwords, or PINs. Plaid's OAuth flow means your credentials go directly to your bank's servers. Nautilius Money receives only a time-limited access token.
๐Ÿšซ
No account numbers by design
Plaid offers an "Auth" product that returns account and routing numbers. Nautilius Money deliberately does not request it. We use transaction and balance data only โ€” your account numbers are never in our database.
๐Ÿ‘๏ธ
Read-only, always
The Plaid connection Nautilius Money creates has no payment or transfer products attached. Even if our systems were fully compromised, there is no technical path to move money from your accounts.
๐Ÿ—๏ธ
Certified infrastructure, not certified Nautilius Money
Rather than pursuing our own SOC 2 certification (which audits internal processes), we architect so that sensitive data lives exclusively inside certified third parties. Plaid, Supabase, and Stripe carry their own Type II certifications โ€” covering the data that actually matters.
๐Ÿ”’
Row-level isolation
Supabase Row-Level Security policies mean your financial data is isolated at the database layer โ€” not just in application code. Even a bug in our API cannot return another user's data.
๐Ÿ—‘๏ธ
Right to deletion
Disconnecting an account immediately revokes the Plaid access token and queues deletion of associated transaction data. You can delete your Nautilius Money account and all data from Settings at any time.
Our Commitments

What Nautilius Money will never do

These aren't buried in a terms of service. They're architectural decisions we've made permanent.

โœ•Store your bank username or password
โœ•Import account or routing numbers
โœ•Enable any payment or transfer capability
โœ•Sell your financial data to third parties
โœ•Share data with advertisers or data brokers
โœ•Store card numbers or CVV codes
๐Ÿ“‹
A note on SOC 2 certification

SOC 2 audits a company's internal systems and processes for handling sensitive data. Nautilius Money is designed so that the data requiring that level of oversight โ€” bank credentials, card numbers, account numbers โ€” never enters our systems in the first place.

The infrastructure partners we rely on (Plaid, Supabase, Stripe) each hold SOC 2 Type II certification and undergo independent annual audits. Our architecture is intentionally designed to keep Nautilius Money outside the scope of data that would require our own certification. As the product grows, we will pursue additional certifications where they add genuine user protection โ€” not just compliance theater.

Security questions or concerns? security@nautiliusmoney.com