Security

Your financial data is sensitive. We treat it that way.

Infrastructure

  • Encryption in transit: All data is transmitted over TLS 1.3. We enforce HTTPS on every connection.
  • Encryption at rest: Data is encrypted using AES-256 at the database and storage layer.
  • Cloud hosting: Hosted on SOC 2 Type II certified infrastructure with redundancy and automated backups.
  • Network isolation: Application services run in isolated virtual networks with strict firewall rules.

Application Security

  • Authentication: Secure credential hashing (bcrypt), OAuth 2.0 support (Google, GitHub), and CSRF protection on all forms.
  • Authorization: Role-based access controls ensure users only access their own data.
  • Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks.
  • Input validation: All user inputs are validated and sanitized to prevent injection attacks.
  • Dependency management: Automated vulnerability scanning of all dependencies with prompt patching.

Data Protection

  • Data isolation: Each company's data is logically isolated. There is no cross-tenant data access.
  • Backups: Automated daily backups with point-in-time recovery. Backups are encrypted and stored in a separate region.
  • Data deletion: Account deletion removes all personal and financial data within 30 days.
  • AI data handling: Your financial data is not used to train AI models. AI processing occurs on our secure servers — data is never sent to third-party model providers without your explicit consent.

Compliance

  • SOC 2: Working toward SOC 2 Type II certification. Our infrastructure providers are SOC 2 certified.
  • GDPR: We support data subject rights including access, correction, deletion, and portability.
  • CCPA: California residents can exercise their privacy rights as described in our Privacy Policy.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. Contact us at security@burnless.com. We take all reports seriously and will respond within 48 hours. Please do not publicly disclose the vulnerability until we have had a chance to investigate and address it.

Questions?

For security-related inquiries, contact security@burnless.com. For general support, reach us at support@burnless.com.