Skip to main content
Skip to content
MoneyLoop
Security

Security at the core.

You’re trusting us with SSNs and bank accounts. Here is how we protect them today, where provider rails are gated, and what is still handled through verified partners.

  • RLS

    Scoped

  • Plaid

    Tokenized

  • Audit

    Logged

  • Rails

    Gated

  • Encrypt

    Fields

How we work

Seven pillars, reviewed quarterly.

Security isn’t a page; it’s an operating habit. This is the checklist we actually run against — updated as the product grows.

Infrastructure

  • Managed production hosting, database, and object storage providers
  • Environment checks guard the single production Supabase project
  • Provider-gated payroll rails stay disabled until required configuration exists

Encryption

  • Encrypted transport with HSTS on production responses
  • Sensitive SSN, bank account, and onboarding draft fields use field-level encryption
  • Private document buckets and signed download URLs for protected HR artifacts

Access control

  • Role-based access for employee, manager, and company-admin surfaces
  • Server-side guards protect privileged payroll, employee, and document APIs
  • Persona-isolated dashboards reduce accidental cross-workspace exposure

Monitoring

  • Privileged employee profile and work-authorization actions are audit logged
  • Security headers are applied on production responses
  • Provider and configuration failures surface as gated states instead of fake success

Vulnerability management

  • Responsible disclosure at security@moneyloop.ai
  • Dependency and framework updates are reviewed as part of release hardening
  • External assessments will be published only after they are completed

Incident response

  • Incident triage focuses first on containment, customer impact, and evidence preservation
  • Affected customers and regulators are notified as required by law
  • Follow-up summaries are shared with affected accounts when appropriate

Compliance

  • SOC 2 control mapping in progress; no badge is claimed before attestation
  • Benefits data kept provider-gated until controls are verified
  • Payment-card handling delegated to audited payment rails
Responsible disclosure

Report a vulnerability.

We take every security report seriously. Send the reproduction steps, affected URL, and impact. We will triage it and follow up with the next practical step.

security@moneyloop.ai

// include

affected route or API
steps to reproduce
screenshots or logs

// scope

*.moneyloop.ai, api.moneyloop.ai,
authenticated web app flows

// out of scope

social-engineering, denial of service,
physical attacks

Prepare payroll on infrastructure you can actually audit.

Encrypted sensitive fields, provider-tokenized bank data, and provider-gated money movement.

No credit card on the free tier.