Your financial data is treated like what it is.
Financial data is sensitive. We designed DeductSam's security from the ground up — not as an afterthought. Here is exactly what we do to protect your information.
256-bit encryption
All data stored in our database and file storage is encrypted at rest using AES-256 — the same standard used by financial institutions. All data in transit uses TLS 1.2 or higher. HSTS headers ensure your browser enforces HTTPS for every visit.
Read-only bank access
When you connect your bank account via Plaid, DeductSam receives read-only transaction data. We cannot move money, initiate transfers, or modify your accounts. Your banking credentials go directly to Plaid — DeductSam never sees them. You can revoke access from Settings at any time.
Server-side key management
API keys for Plaid, OpenAI, Stripe, and Google are stored exclusively on our servers and are never bundled into the frontend application code. If you inspect DeductSam's JavaScript, you will not find credentials there. Third-party integrations are brokered through our servers on your behalf.
No plaintext passwords
DeductSam never stores your password. Authentication is managed by Supabase Auth, which uses industry-standard bcrypt hashing. Password reset flows use one-time tokens delivered to your email — not security questions. Two-factor authentication (TOTP) is available from Settings and uses cryptographically secure recovery codes.
Rate limiting on all endpoints
Every API endpoint — including AI, authentication, and data operations — has server-side rate limiting. This protects against brute-force attacks, credential stuffing, and automated abuse. AI endpoints that interact with OpenAI have additional limits to prevent misuse.
Row-level data isolation
Our database enforces row-level security (RLS) policies that verify your user ID on every query. It is architecturally impossible for your data to appear in another user's account, or vice versa — the database itself enforces this boundary, not just the application layer.
Security headers
Every response from DeductSam includes HTTP security headers: Content Security Policy (CSP) restricting resource origins, X-Frame-Options preventing clickjacking, X-Content-Type-Options preventing MIME sniffing, and Referrer-Policy controlling information leakage. These are enforced at the CDN layer — not just in application code.
Error monitoring without PII
Application errors are tracked by Sentry so we can diagnose and fix bugs quickly. Error reports include the error message and stack trace, but are scrubbed of financial data and personally identifiable information before transmission. We do not log your expense amounts, merchant names, or business data to error reports.
Where your data lives
A plain-language explanation of the data flow inside DeductSam.
Your expenses and receipts
Stored in Supabase-managed PostgreSQL (encrypted at rest). Receipt image and PDF files are stored in Supabase object storage (encrypted at rest). Storage paths are user-scoped — a URL for your receipt will not work if requested by a different authenticated user.
AI processing (Sam)
When Sam analyzes your expenses or answers a question, relevant data (expense descriptions, merchant names, your business profile) is sent to OpenAI's API via our server — never directly from your browser. We do not send Social Security numbers, bank account numbers, government IDs, or your email address to OpenAI. OpenAI processes this data under their API data usage policy, which you can review at openai.com/policies.
Bank sync (Plaid)
When you connect your bank via Plaid, you authenticate directly with Plaid — your banking credentials never touch DeductSam's servers. Plaid provides us a read-only access token. We use that token to pull transaction amounts, dates, and merchant names. Full account numbers and routing numbers are never shared with DeductSam.
Payments (Stripe)
Subscription billing is handled by Stripe. Payment card information is entered directly into Stripe's hosted checkout — it is never transmitted to or stored by DeductSam's servers. We receive only a Stripe customer ID and subscription status.
Found a security issue?
We take security reports seriously. If you discover a vulnerability in DeductSam, please email us at deductsam@gmail.com with "Security" in the subject line. We will acknowledge your report within 48 hours and work to address the issue promptly. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
Report a Vulnerability →