Security

How we protect your data.

Our approach

Security is fundamental to how we design, build, and operate CashSheet. Financial data demands the highest standards of protection, and we treat every customer's data as if it were our own.

Tenant isolation

Every CashSheet customer runs in a dedicated silo: their own Postgres database, their own application containers, and their own subdomain. There is no shared multi-tenant database where one bug could leak rows between customers. Isolation is enforced at the infrastructure layer, not in application code.

Encryption

  • In transit — All connections use TLS 1.3. HTTP requests are automatically redirected to HTTPS. Internal service-to-service communication is encrypted.
  • At rest — Database volumes and backups are encrypted using AES-256. Encryption keys are managed through a dedicated key management service.

Authentication & access

  • Passwords are hashed using bcrypt with per-user salts
  • Two-factor authentication (2FA) available for all accounts
  • Session tokens are rotated regularly and invalidated on logout
  • Role-based access control with principle of least privilege
  • Admin actions are logged with full audit trail

Infrastructure

  • Hosted on hardened Linux servers with automatic security patches
  • Network-level firewalls restricting access to required ports only
  • Container-based deployment with immutable images
  • Automated daily backups with point-in-time recovery
  • Separate production, staging, and development environments

Application security

  • Parameterized queries to prevent SQL injection
  • CSRF protection on all state-changing requests
  • Content Security Policy (CSP) headers enforced
  • Input validation and output encoding throughout
  • Dependency scanning for known vulnerabilities
  • Regular code review with security-focused checks

Monitoring & incident response

We monitor all systems 24/7 with automated alerting. Our incident response process includes immediate containment, root cause analysis, customer notification (when applicable), and post-incident review with corrective actions.

Data handling

  • We do not access customer financial data except to provide the service or when legally required
  • Employee access to production systems is restricted and logged
  • Data deletion requests are fulfilled within 90 days
  • We do not sell, share, or use customer data for advertising

Responsible disclosure

If you discover a security vulnerability in our platform, please report it responsibly to [email protected]. We appreciate the security research community and will acknowledge valid reports. Please do not disclose vulnerabilities publicly before we have had the opportunity to address them.

Questions

For security-related inquiries, contact [email protected].