Security Practices

Security at CFO Dashboard

Your financial data deserves the highest protection. Here's exactly how we secure it, from encryption to infrastructure.

Your data is protected with AES-256-GCM application-level encryption, read-only access to your accounting software, 8 rate-limited API endpoints, and SOC 2 compliant infrastructure. We never modify your books.

How Your Data Flows

We only read your financial reports, and every step is encrypted.

Zoho Books

Your accounting data

Secure OAuth

Read-only scopes

CFO Dashboard

AES-256-GCM encryption

Neon PostgreSQL

Encrypted at rest

Our Security Practices

A detailed look at how we protect your data at every layer.

Encryption at Rest & in Transit

  • OAuth tokens encrypted at the application layer with AES-256-GCM before storage — not just database-level encryption
  • Database-level encryption via Neon PostgreSQL on AWS (AES-256) as a second layer
  • All connections enforced via TLS/SSL (sslmode=require)
  • Passwords hashed with bcrypt (cost factor 12). Never stored in plaintext.

Authentication & Access Control

  • Every API endpoint requires a verified user session (NextAuth.js with JWT strategy)
  • Unauthenticated requests receive HTTP 401. No exceptions.
  • Session tokens stored in httpOnly cookies (not accessible via JavaScript)
  • Admin access restricted to a single owner email via environment variable

Data Isolation (Multi-Tenancy)

  • Every database query is scoped to the logged-in user's ID
  • User A cannot access User B's connections, invoices, or reports
  • Connection ownership is verified before any data operation

View Only Zoho Integration

  • OAuth 2.0 with granular, read-only scopes (ZohoBooks.*.READ). We never modify your books.
  • Access tokens encrypted with AES-256-GCM at the application layer before database storage
  • Tokens refresh automatically — no manual re-authentication needed
  • You can revoke access at any time from your Zoho settings

Rate Limiting & Abuse Prevention

  • 8 API endpoints protected with per-IP sliding-window rate limiting
  • Registration, password changes, OAuth, sync, and payment endpoints all throttled
  • Rate limit headers included in responses (X-RateLimit-Remaining, Retry-After)
  • Brute-force protection on sensitive endpoints (5 requests per 15 minutes)

Secure Logging & Error Handling

  • 9 sensitive data patterns automatically redacted in production logs (tokens, emails, Stripe IDs, encrypted values)
  • Error responses never expose internal system details or stack traces
  • Debug logging is disabled in production environments

Secrets Management

  • All API keys, credentials, and secrets stored as environment variables
  • No sensitive data committed to source code. Verified by audit.
  • Environment files are excluded from version control (.gitignore)
  • Encryption keys managed separately from application secrets

Infrastructure Security

  • Hosted on Vercel (AWS). SOC 2 Type II compliant, with automatic HTTPS.
  • Database on Neon PostgreSQL. SOC 2 compliant, encrypted, with daily backups.
  • Payments processed by Stripe. PCI DSS Level 1 certified.
  • Zoho Books integration: SOC 2 + ISO 27001 certified.

Trusted Infrastructure

We build on infrastructure providers that meet the highest compliance standards.

Vercel

SOC 2 Type II

Neon

SOC 2 Compliant

Stripe

PCI DSS Level 1

AWS

SOC 2 / ISO 27001

Security Questions?

If you have questions about our security practices or want to report a vulnerability, we'd love to hear from you.

Contact Us