Your financial data is sensitive. We've built Arcane Ledger with security as a first-class concern — not an afterthought. This page explains exactly how your data is protected.
Read-Only Bank Access
We can view your transactions and balances. We cannot move money, initiate transfers, or take any action on your accounts.
No Credential Storage
Your banking username and password are never seen or stored by us. Credentials go directly to Plaid's encrypted interface.
Encrypted in Transit
All communication between your device and our servers uses TLS 1.2+ (HTTPS). Data is never sent in plaintext.
Encrypted at Rest
Your data is stored in Google Firebase (Firestore), which encrypts all data at rest using AES-256 by default.
1. Bank Account Access — Read-Only by Design
Arcane Ledger connects to your bank through Plaid, a regulated financial data network. Our access is strictly read-only. We retrieve transaction history and account balances — nothing more.
- We cannot initiate transfers, payments, or withdrawals.
- We cannot modify your bank account or any data at your financial institution.
- We never see your bank login credentials — they are entered directly in Plaid's interface and are encrypted before they ever leave your device.
- Plaid provides us with a secure, tokenized access credential (not your password) that can be revoked at any time.
- You can revoke access to any connected bank at any time from within the app or through your bank's third-party app settings.
Plaid is used by thousands of financial applications and is subject to rigorous security audits. See plaid.com/safety for details on their security practices.
2. No Credential Storage
Arcane Ledger never stores or transmits your banking passwords, PINs, or security question answers. The flow works like this:
- You enter your bank credentials into Plaid's secure, sandboxed interface (Link).
- Plaid authenticates with your bank and returns an access token to us.
- We store only that access token — not your password — and use it solely to pull your transaction data.
The access token is stored server-side in Firebase Cloud Functions and is never exposed to the browser or included in client-side code.
3. Encryption in Transit
- All traffic between your browser and Arcane Ledger uses HTTPS with TLS 1.2 or higher.
- Firebase Hosting enforces HTTPS automatically — HTTP connections are redirected to HTTPS.
- All calls to Firebase Cloud Functions (including Plaid and Stripe operations) are encrypted end-to-end.
- Stripe's payment flows use their own TLS-secured infrastructure and are PCI DSS Level 1 compliant.
4. Encryption at Rest
- All Firestore data (your transactions, budgets, goals, and account information) is encrypted at rest using AES-256, managed by Google Cloud.
- Firebase Authentication stores your password as a secure, salted hash — we cannot retrieve your password in plaintext.
- Sensitive API keys (Plaid, Stripe, Anthropic) are stored as Firebase Secret Manager secrets — they are never hardcoded in source code or environment files.
- Plaid access tokens are stored server-side only and are never sent to the browser.
5. Authentication and Account Security
- Authentication is managed by Firebase Authentication — a Google-managed service with built-in brute-force protection and secure session management.
- You can sign in with Email/Password or Google Sign-In (OAuth 2.0).
- Sessions are managed via secure, HttpOnly tokens. You can sign out from any device at any time.
- We recommend using a strong, unique password and enabling two-factor authentication on your Google account if you sign in with Google.
6. Infrastructure and Third-Party Security
Arcane Ledger is built on infrastructure maintained by security-certified providers:
- Firebase / Google Cloud — SOC 2 Type II, ISO 27001, and ISO 27017 certified. firebase.google.com/support/privacy
- Plaid — SOC 2 Type II certified, regulated financial data network. plaid.com/safety
- Stripe — PCI DSS Level 1 Service Provider. stripe.com/docs/security
7. What We Cannot See
To be explicit about the boundaries of our access:
- Your bank login credentials (username, password, PIN).
- Your credit card or debit card number (handled entirely by Stripe).
- Any account at financial institutions you have not explicitly connected via Plaid.
- Data from other apps or devices on your phone.
8. Reporting a Security Issue
If you believe you've found a security vulnerability in Arcane Ledger, please contact us responsibly before public disclosure:
- Email: stackedalchemist@gmail.com
- Subject line: Security Disclosure — Arcane Ledger
We take all security reports seriously and will respond promptly.