🔒 BANK-LEVEL SECURITY

Your financial data, locked down.

We built Clarity Books with security as a first principle — not an afterthought. Here is exactly how your data is protected, in plain language.

AES-256

Encrypted at rest

TLS 1.3

Encrypted in transit

Read-only

Bank access

SOC 2

Certified infra

How we protect you

Eight layers of protection

🔒

256-bit AES Encryption at Rest

Every row in our database — transactions, account balances, categorization rules, and your profile — is encrypted using AES-256 before it ever touches disk. The same standard used by banks and the U.S. government.

🛡️

TLS 1.3 in Transit

All data traveling between your browser, our servers, and third-party providers is encrypted end-to-end with TLS 1.3. Older, weaker TLS versions (1.0, 1.1) are rejected at the network level.

👁️

Read-Only Bank Access

When you connect a bank account via Plaid, we receive a read-only token. We can see your transactions and balances — we cannot initiate transfers, move money, or interact with your account in any way.

🏗️

SOC 2 Type II Infrastructure

Our database and authentication run on Supabase, which maintains a SOC 2 Type II certification — meaning an independent auditor has verified their security controls annually. Your code and assets are hosted on Vercel, which is also SOC 2 certified.

🔑

Role-Based Access Control

Internally, only the admin user you authorize can view your books. Access roles are encoded into your session JWT and verified on every request — no request can access another user's data, even with a valid session token.

🧱

Row-Level Security (RLS)

Our database enforces row-level security policies at the Postgres layer — not just in application code. Even if a bug slipped through in our API, the database itself would reject unauthorized queries.

🏦

No Stored Banking Credentials

We never see or store your bank username or password. Plaid handles authentication directly with your financial institution using OAuth where available. Your credentials never touch our systems.

🗑️

Right to Delete

Close your account and your personal data, financial records, and AI-learned rules are permanently deleted from our systems within 30 days. You can trigger this yourself from Settings — no phone call, no waiting.

Bank connections

Powered by Plaid — the industry standard

We use Plaid to connect to your financial institutions. Plaid is trusted by Venmo, Robinhood, and thousands of fintechs. They authenticate you directly with your bank using OAuth wherever possible — your username and password never pass through our servers.

The access token we receive is scoped to transactions and balances only. It cannot be used to initiate payments, view full account numbers, or change any account settings.

What Plaid shares with us

✅Transaction date, amount, and description

✅Account balance (current & available)

✅Institution name and account type

❌Your bank username or password

❌Full account or routing numbers

❌Ability to initiate transfers

❌Access to other accounts at the same institution

AI & your data

What the AI sees — and what it doesn't

When we send a transaction to Claude for categorization, we strip all personally identifiable data first.

✅ Sent to AI

Vendor name (e.g. "Starbucks")

Transaction amount

Transaction date

Memo / description field

Your business type

Previously learned category rules

❌ Never sent to AI

Your name or email address

Account or routing numbers

Bank login credentials

Your physical address

Social Security Number

Any other client's data

FAQ

Common security questions

Can Clarity Books move my money?

No. We use Plaid in read-only mode. The token we receive is scoped to transaction and balance data only. There is no technical path by which our application can initiate a transfer or interact with your bank account.

Does the AI see my account numbers?

No. When we send transaction data to Claude for categorization, we send only the vendor name, amount, memo, and date. Account numbers, routing numbers, and personal identifiers are stripped before the request leaves our server.

Who inside Clarity Books can see my data?

Only the owner (Brayden Callahan). There is no support team with shared database access. Administrative access requires multi-factor authentication and is logged.

What happens if there's a breach?

We will notify you by email within 72 hours of discovering any unauthorized access to your data. We will describe what was accessed, what we're doing about it, and what steps you should take.

Is my data shared with third parties for advertising?

Never. Your financial data is used solely to provide the bookkeeping service. We do not sell data, build advertising profiles, or share information with data brokers.

Where is my data stored geographically?

Your data is stored in Supabase's US East region (AWS us-east-1) and replicated within that region for redundancy. Data does not leave the United States.

Have a security question?

If you discover a potential vulnerability or have a question about how we handle your data, reach out directly. We take every report seriously.

brayden@claritybooksai.com

Home Privacy Terms