Ghost FinancialGhost Financial

Security

Last updated: March 2026

Security is foundational to everything we build at Ghost Financial. You’re trusting us with a view of your financial life — we take that responsibility seriously. Here’s an honest account of how we protect your data.

Read-Only Bank Access

Ghost Financial can only read your financial data. We have no ability to move money, initiate transfers, or make any changes to your bank accounts. This is a hard architectural constraint, not just a policy — the API access granted through Plaid is strictly read-only by design.

This means that even in the unlikely event of a breach of Ghost Financial’s systems, no one could use our access to take money from your accounts.

Bank Credentials Are Never Stored by Us

When you connect a bank account, you authenticate directly with your financial institution through Plaid’s secure interface. Ghost Financial never sees, receives, or stores your banking username, password, or security codes at any point in this process. Plaid holds the connection token; we hold only a reference to it.

Plaid is a SOC 2 Type II certified service used by thousands of financial apps worldwide. They apply bank-grade security practices to protect your credentials and connection. Learn more at plaid.com/safety.

Encryption

All data transmitted between your device and Ghost Financial’s servers is encrypted in transit using TLS (Transport Layer Security). Data stored in our database is encrypted at rest using AES-256, a standard used by financial institutions worldwide.

Row-Level Security

Our database uses Supabase Row Level Security (RLS), which enforces at the database level that each user can only access their own records. This means that even if there were a bug in our application code, the database layer would prevent one user’s data from being returned in another user’s queries.

Infrastructure

Our backend services run on Fly.io in the Toronto region, keeping your data within Canada. We use Cloudflare for DNS, DDoS protection, and edge security. Our database is hosted on Supabase with automated backups and point-in-time recovery.

PIPEDA Compliance

Ghost Financial operates in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). We collect only the minimum data necessary to provide the Service, store it in Canada, and provide you with the ability to access, correct, or delete your information at any time.

SOC 2 — Planned

We are committed to pursuing SOC 2 Type II certification as Ghost Financial grows. This certification formally audits our security controls against industry standards. We do not currently hold SOC 2 certification, but it is on our roadmap. We believe in being upfront about this rather than claiming certifications we haven’t yet earned.

In the meantime, we follow SOC 2-aligned practices in our development and operations: access controls, audit logging, incident response planning, and vendor security reviews.

Authentication Security

User authentication is managed through Supabase Auth, which supports secure email/password flows and OAuth providers. Passwords are never stored in plaintext — they are hashed using industry-standard algorithms. Session tokens are short-lived and rotated on each use.

Reporting a Vulnerability

We welcome responsible disclosure from security researchers. If you discover a security vulnerability in Ghost Financial, please report it to us before disclosing it publicly so we can address it promptly.

Contact us at: security@ghostfinancial.app

Please include a description of the vulnerability, steps to reproduce it, and any relevant technical details. We will acknowledge your report within 48 hours and keep you informed as we investigate and resolve the issue. We ask that you give us a reasonable timeframe to address the issue before public disclosure.

Questions

For general security questions, reach us at support@ghostfinancial.app.