Your financial data deserves serious protection.
CashFlowSmart processes sensitive business financial data. Here is exactly how we protect it — no vague promises, no marketing language.
Security Controls
Encryption at Rest
All data stored in our database is encrypted using AES-256. Encryption keys are managed separately from the data they protect and are rotated regularly.
Encryption in Transit
All data transmitted between your browser and our servers uses TLS 1.2 or higher. We enforce HTTPS on all endpoints with HSTS headers to prevent downgrade attacks.
No Direct Bank Access
CashFlowSmart never connects to your bank account directly. All financial data enters the system through CSV or PDF files you explicitly upload. You retain full control of your banking credentials at all times.
Role-Based Access Control
Access to your data is restricted by role. Only authenticated users with explicit permissions can view or modify your financial records. Admin, operator, and data-entry roles are enforced at the API level.
Session Security
Sessions are managed with signed, HTTP-only cookies that cannot be accessed by JavaScript. Sessions expire automatically and are invalidated on logout. We do not use localStorage for authentication tokens.
SOC 2 Type II Certification
We are actively pursuing SOC 2 Type II certification. Our security controls are designed to meet SOC 2 Trust Service Criteria (Security, Availability, Confidentiality) from day one of operation.
Data Handling Principles
-
✓
We do not sell your data. Your financial transaction data, project data, and business information are never sold to third parties, data brokers, lenders, insurers, or advertisers.
-
✓
Minimal data collection. We collect only the data necessary to provide the Service. We do not collect data speculatively or for future monetization.
-
✓
AI data handling. When you use the AI Financial Advisor, your financial context is sent to our LLM provider using a zero-data-retention API configuration. The provider does not store your data after returning a response.
-
✓
Data deletion. You can request complete deletion of your account and all associated data at any time. Deletion is permanent and completed within 30 days of request.
-
✓
Data portability. You can export all your data in CSV format at any time from the Settings page. We do not lock you in.
-
✓
Breach notification. In the event of a security incident affecting your data, we will notify you by email within 72 hours of discovery, in compliance with GDPR Article 33.
Compliance
GDPR (EU)
We comply with the General Data Protection Regulation for users in the European Economic Area. You have the right to access, correct, delete, and port your personal data. Our Data Protection contact is privacy@cashflowsmart.io.
CCPA (California)
We comply with the California Consumer Privacy Act. California residents have the right to know what data we collect, request deletion, and opt out of data sale (we do not sell data). Contact: privacy@cashflowsmart.io.
Report a Security Issue
If you discover a security vulnerability in CashFlowSmart, please report it responsibly to security@cashflowsmart.io. We will acknowledge your report within 24 hours and work with you to resolve verified issues. We do not pursue legal action against good-faith security researchers.
Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate.