Guapital

Security at Guapital

Your financial data is your most sensitive information. Here's how we protect it with bank-level security.

Our Security Promise

We use the same security standards as major banks and financial institutions. Your data is encrypted, isolated, and monitored 24/7. We're committed to transparency—this page explains exactly how we keep your information safe.

We can only read your account balances.

We cannot move money, access banking credentials, or see private keys.

Data Encryption

Your data is protected at every layer with military-grade encryption, both at rest and in transit.

  • AES-256 encryption at rest (same as US classified data)
  • TLS 1.3 in transit (latest encryption protocol)
  • Securely hashed passwords (we can't see your password)
  • End-to-end encryption for all communications
🔒
Your Data
Bank Account Balances
Encrypted at Rest
AES-256: U2FsdGVkX1+...
Encrypted in Transit
TLS 1.3 🔐

Access Controls

Row-Level Security (RLS)

Every database table uses Row-Level Security policies to ensure you can only access your own data. Even if someone gained unauthorized database access, they couldn't read data belonging to other users without proper authentication tokens.

OAuth 2.0 Authentication

We use industry-standard OAuth 2.0 for authentication. Session tokens are signed, validated, and expire after a set period. If you log out or your token expires, you must re-authenticate to access your data.

Role-Based Permissions

Our internal team follows the principle of least privilege. Only authorized personnel can access infrastructure, and no one can view user financial data directly without explicit consent for support purposes.

Trusted Partners

We partner with industry-leading security providers to keep your data safe.

🏦

Plaid

Bank Connections

  • Read-only access (cannot move money)
  • SOC 2 Type II certified
  • Used by Venmo, Robinhood, 8,000+ apps
  • We never see your banking credentials
⛓️

Alchemy

Crypto Tracking

  • Public addresses only (no private keys)
  • Read-only blockchain API
  • Multi-chain support (5 networks)
  • Cannot authorize transactions
💳

Stripe

Payment Processing

  • PCI DSS Level 1 certified
  • Tokenized credit cards
  • We never store card numbers
  • Industry leader in payment security
🗄️

Supabase

Database & Authentication

  • SOC 2 Type II compliant
  • Daily automated backups
  • Built on AWS infrastructure
  • DDoS protection

Infrastructure Security

AWS Hosting

Our application is hosted on AWS Amplify, leveraging Amazon's enterprise-grade security infrastructure with 24/7 monitoring, automated patching, and isolated network environments.

Content Security Policy (CSP)

We enforce strict Content Security Policies to prevent cross-site scripting (XSS) attacks. Only whitelisted domains (Plaid, Stripe, Supabase, Alchemy) can load resources on our pages.

HTTPS Strict Transport Security (HSTS)

All traffic to Guapital is forced over HTTPS with a 1-year HSTS policy. This prevents downgrade attacks and ensures encrypted connections.

Rate Limiting

We enforce rate limits on all API endpoints to prevent brute force attacks, credential stuffing, and abuse. Auth endpoints are limited to 5 requests per 15 minutes, and expensive operations (like crypto syncs) are limited to 10 per hour.

Monitoring & Incident Response

Real-Time Monitoring

We use Sentry for error tracking and AWS CloudWatch for infrastructure monitoring. Any anomalies or errors trigger immediate alerts to our engineering team.

Security Audits

We conduct regular security audits of our codebase and infrastructure. As we grow, we plan to engage third-party security firms for penetration testing and vulnerability assessments.

Incident Response Plan

In the unlikely event of a security breach, we have a documented incident response plan. We'll notify affected users within 72 hours (or sooner, as required by law) and take immediate steps to contain and resolve the issue.

Webhook Verification

All webhooks from Plaid and Stripe are cryptographically signed. We verify signatures before processing any webhook events to prevent spoofing or replay attacks.

Privacy & Compliance

We never sell your data. Ever. Bank-level security, transparent pricing, and GDPR compliance mean your trust is our business model.

🚫

No Data Selling

Subscription revenue only. We work for you, not advertisers.

🇪🇺

GDPR Compliant

Access, correct, or delete your data anytime.

🗑️

Data Deletion

Delete your account = permanent data removal in 30 days.

Your Responsibilities

While we work hard to keep your data secure, security is a shared responsibility. Here's what you can do:

Use a Strong Password

Choose a unique password with at least 12 characters, including uppercase letters, lowercase letters, numbers, and symbols. Don't reuse passwords from other sites.

Enable Two-Factor Authentication (Coming Soon)

We're building 2FA support to add an extra layer of security. When available, we highly recommend enabling it.

Keep Your Email Secure

Your email is the recovery method for your Guapital account. Make sure your email account has a strong password and 2FA enabled.

Log Out on Shared Devices

If you access Guapital on a public or shared computer, always log out when you're done.

Report Suspicious Activity

If you notice anything unusual with your account (unauthorized access, unexpected changes), contact our security team immediately using the button below.

Questions About Security?

We're committed to transparency. Report vulnerabilities or ask questions about our security practices.