💰SimpleMonth
Sign in

Security & Information Protection

At SimpleMonth, protecting your financial and personal data is a core responsibility. This page outlines the technical, administrative, and operational safeguards we use to identify, mitigate, and monitor information security risks.

Our security program is actively maintained and evolves alongside the product.

1. Data Classification & Scope

We classify and protect data based on sensitivity, including:

  • Financial Data
    Bank account metadata, balances, transactions, and investment-related information obtained through authorized integrations (e.g., Plaid).
  • Personal Data
    Email addresses, account identifiers, and user-provided profile information.
  • Operational Metadata
    Logs, application events, and system telemetry used for monitoring and troubleshooting.

Sensitive data is accessed strictly on a need-to-know basis and protected by multiple layers of controls.

2. Encryption

Encryption in Transit

All data transmitted between your device and our services is encrypted using HTTPS/TLS.

  • TLS 1.2+ is enforced
  • Connections are authenticated and protected from interception
  • Secure cookies and headers are used where applicable

Encryption at Rest

Data stored by our infrastructure providers is encrypted at rest using industry-standard encryption mechanisms managed by those providers.

3. Authentication & Identity Management

We use Supabase Auth for authentication and identity management.

Key protections include:

  • Secure Password Storage
    Passwords are hashed using industry-standard algorithms and never stored in plain text.
  • Session Management
    Sessions are time-limited and securely managed.
  • Email Verification
    New accounts require email verification to reduce unauthorized access.
  • Future Enhancements
    Additional controls such as multi-factor authentication may be introduced as the platform evolves.

4. Authorization & Data Isolation (Row Level Security)

We enforce Row Level Security (RLS) at the database level to ensure strict data isolation.

  • Users can only access data associated with their own account
  • Authorization is enforced by the database itself, not only application logic
  • This provides defense-in-depth even in the event of an application-level issue

5. Infrastructure & Application Security

We apply industry best practices across our infrastructure:

  • Principle of Least Privilege
    Access to systems and data is limited to what is required for operation.
  • Secrets Management
    API keys, credentials, and sensitive configuration are stored securely using environment variables and are never committed to source code.
  • Dependency & Platform Updates
    Dependencies and infrastructure components are updated regularly to address security vulnerabilities.

Hosting Providers

We rely on reputable infrastructure providers:

  • Supabase (database, authentication)
  • Vercel (application hosting)

These providers maintain strong security programs and certifications.

6. Third-Party Integrations & Risk Management

We integrate with trusted third-party services to deliver functionality securely.

  • Plaid
    Used to securely connect to financial institutions. We do not store bank login credentials.
  • Supabase & Vercel
    Used for backend services and hosting.

Third-party access is limited to necessary scopes, and integrations are reviewed as features evolve.

7. Operational Security & Monitoring

We maintain ongoing operational safeguards, including:

  • Monitoring & Logging
    Application activity is logged and monitored to detect suspicious behavior.
  • Access Controls
    Production access is restricted to authorized personnel only.
  • Change Management
    Changes to infrastructure and sensitive systems are controlled and reviewed.

8. Incident Response

We maintain procedures to respond to security incidents, including:

  • Identification and containment of potential threats
  • Investigation and remediation
  • User notification when required by law or circumstances

Incident handling processes are reviewed and refined as the platform matures.

9. User Responsibilities

Security is a shared responsibility. Users are encouraged to:

  • Use strong, unique passwords
  • Keep their email accounts secure
  • Log out from shared or public devices
  • Report suspicious activity promptly

Support: info@simplemonth.com

10. Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

info@simplemonth.com

Please do not publicly disclose vulnerabilities until we have had an opportunity to investigate and remediate.

11. Compliance & Certifications

While SimpleMonth has not undergone a formal independent security audit, our infrastructure providers maintain recognized certifications:

  • Supabase – SOC 2 Type II
  • Vercel – Industry-standard security and compliance practices

We do not claim "bank-level security." We follow industry best practices appropriate for our stage and continuously improve our security posture.

Questions?

If you have questions about our security practices, contact:

info@simplemonth.com (also for vulnerabilities)

See also: Privacy Policy | Terms of Service | Data Handling