Security

Plenifi handles sensitive financial data. We treat that responsibility the same way we'd want our own bank to — with read-only access, strong encryption, and no unnecessary data collection.

Read-Only Data Access

Plenifi connects to your banks through Plaid and your brokerages through SnapTrade. Both integrations are strictly read-only — we receive balances, transactions, and holdings, but we can never move money, initiate transfers, or modify your accounts in any way. Your bank credentials are never stored on our servers.

Encryption Everywhere

All data is encrypted at rest in PostgreSQL and encrypted in transit with TLS 1.3. Session tokens use JWE (JSON Web Encryption) so they can't be read even if intercepted. Every connection between your browser and our servers is secured end to end.

Two-Factor Authentication

Every account supports TOTP two-factor authentication. When enabled, signing in requires both your password and a time-based code from your authenticator app. Session cookies are encrypted and scoped to your organization.

Privacy by Design

We don't run advertising trackers. Our minimal analytics use PostHog, self-hosted and privacy-focused. We don't sell, share, or monetize your financial data. Your data is exportable and deletable on request — no lock-in, no dark patterns.

Infrastructure

Plenifi is hosted on Railway, a modern cloud platform with SOC 2 Type II compliance. Our database runs on PostgreSQL with encryption at rest enabled at the storage layer. All connections use TLS 1.3, and database connections are encrypted and scoped to private networks.

Application secrets — API keys, signing keys, and connection strings — are stored in Railway's encrypted environment variable system and never committed to source control.

Authentication

User authentication is handled by Better Auth, a self-hosted authentication framework. Plenifi supports email and password login with optional TOTP two-factor authentication. Session tokens are issued as JWE-encrypted cookies — meaning they are both signed and encrypted, preventing tampering or inspection even by browser extensions.

Household access is managed through Better Auth's organization system. Each household is an organization with scoped membership, so users can only access accounts belonging to their own household. Role-based permissions control what each member can see and do.

Data Access Model

Plenifi connects to financial institutions through two trusted providers:

  • Plaid — for bank accounts, credit cards, and transaction history. Plaid is used by thousands of fintech applications and provides read-only access tokens scoped to specific accounts.
  • SnapTrade — for brokerage and investment accounts. SnapTrade handles the authentication flow with your brokerage and returns read-only portfolio data.

In both cases, your banking credentials flow directly to the provider. Plenifi never sees, stores, or has access to your username, password, or security questions. The access tokens we receive are read-only and cannot be used to move money or modify your accounts.

Application Security

Every request to the Plenifi API passes through multiple layers of protection:

  • Input validation — all incoming data is validated with Zod schemas before it reaches any business logic. Malformed requests are rejected at the boundary.
  • Parameterized queries — database access uses Drizzle ORM, which generates parameterized SQL. There is no string concatenation in queries, eliminating SQL injection as a class of vulnerability.
  • CORS and CSP headers — cross-origin requests are restricted to known domains. Content Security Policy headers limit what scripts and resources can execute in the browser.
  • Rate limiting — API endpoints are rate-limited to prevent brute-force attacks and abuse.
  • Helmet middleware — security headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security) are set on every response.

Privacy

Plenifi is built for people who pay for the product, not for advertisers. That means:

  • No advertising trackers, pixels, or third-party ad scripts.
  • Minimal analytics through PostHog — used to understand product usage patterns, not to build advertising profiles.
  • Your financial data is never sold, shared with third parties, or used for purposes beyond operating the product.
  • You can export your data or request deletion at any time by contacting us.

Responsible Disclosure

If you discover a security vulnerability in Plenifi, we want to hear about it. Please report it responsibly by emailing security@plenifi.com. We'll acknowledge your report within 48 hours and work with you to understand and resolve the issue before any public disclosure.

We appreciate researchers who give us the opportunity to fix issues before they're shared publicly. We do not pursue legal action against good-faith security researchers.