Security at TinSuite

Your financial data is the most sensitive thing you'll trust us with. We treat it that way.

Encryption everywhere

TLS 1.3 in transit. AES-256 at rest. Bank tokens encrypted with keys we control.

Access controls

Role-based permissions, 2FA, SSO for Business. Every admin action logged.

Zero trust infrastructure

Services isolated by network policy. No cross-tenant data exposure.

Auditable by design

Immutable audit log of every sensitive action. Accessible on Pro+ plans.

Reliable hosting

Hetzner primary data center (Germany). Hourly automated backups, point-in-time recovery.

Compliance

SOC 2 Type II audit in progress. GDPR and CCPA compliant. Aligned with PCI-DSS for payment paths.

Technical details

  • Passwords: bcrypt with 12 rounds. Never stored in plaintext. Zero-knowledge.
  • Session tokens: JWT with 15-minute expiry. Refresh rotation. HttpOnly cookies on mobile.
  • Plaid tokens: AES-256-GCM encrypted in database. Decryption keys stored separately.
  • Database: PostgreSQL with encrypted backups. Transparent data encryption at rest.
  • Infrastructure: Private Docker network. No direct DB access from internet.
  • CI/CD: Signed builds. Secrets rotated quarterly.

Responsible disclosure

Found a vulnerability? We reward responsible disclosure. Email [email protected]. Our PGP key is published at /security/pgp.

Subprocessors

Current subprocessors: Hetzner (hosting), Stripe (payments), Plaid (banking), Resend (email), Cloudflare (DNS/CDN). Full list at /subprocessors. 30-day notice before adding new subprocessors.