All stored data is encrypted at rest. All network traffic is encrypted in transit. Sensitive credentials receive an additional application-layer encryption.
At rest
All data stored in our managed database is encrypted with AES-256 at the storage layer. This is the same standard used by AWS-backed and GCP-backed managed databases by default.
In transit
All network traffic between your browser and our application is encrypted with TLS 1.3. Our application servers do not accept unencrypted (HTTP) connections.
Application-layer encryption for credentials
OAuth tokens for BEC mailbox audits and contractor tax IDs (SIN, SSN, EIN) receive an additional layer of encryption with Fernet (a standard authenticated-encryption scheme) before being written. This is defense-in-depth: a database breach alone would not expose these credentials.
We do not collect passwords
We never ask for the passwords to your business accounts. BEC mailbox audits use OAuth consent only — we receive a scoped token, not your password.
More detail
See our Security Standards page for the technical specification.