Help Center / Security
Legal · Placeholder

Security at ReservWise

How we protect your account, your financial data, and the infrastructure underneath.

Draft — pre-launch · Last updated 2026-04-26

Note: several items below are clearly labeled as roadmap or planned. We'd rather be honest about where we are than overclaim. The production version of this page will be reviewed by counsel and our security lead before launch.

Plain-English summary

We hold financial data, so we take security seriously. We never see your bank password (Plaid handles it). All data is encrypted in transit and at rest. We use modern authentication (TOTP 2FA), least-privilege access for staff, and we will publish a real incident response process and SOC 2 report once we're production.

Account security

  • Passwords are stored hashed (bcrypt) — never in plaintext.
  • Two-factor authentication via TOTP (Authy, Google Authenticator, 1Password, etc.) is supported and strongly recommended.
  • You can review and revoke active sessions from Settings → Security.
  • Failed login attempts are rate-limited.
  • Suspicious sign-in activity triggers an email and may pause access.

Setup walkthrough: Security category in the help center.

Bank and financial data

Bank credentials are handled exclusively by Plaid. We never see, store, or transmit your bank username or password.

We receive a read-only access token from Plaid and use it to fetch:

  • Account metadata (account name, type, last 4 digits)
  • Account balances
  • Transaction history

We do not have authority to move money on your behalf. Read access only.

You can revoke our Plaid access at any time from Settings → Connected Accounts, or directly from your bank's portal.

Encryption

  • In transit: TLS 1.2+ for all client-server communication. HSTS enforced.
  • At rest: database and backups encrypted using AES-256.
  • Plaid tokens: stored encrypted with envelope encryption — the keys live in a separate, restricted-access key management system.
  • Secrets: service credentials, API keys, and database credentials are stored in a secret manager and rotated on a schedule.

Infrastructure

  • Hosted on a managed VPS / cloud provider (specifics published with production version).
  • Database: PostgreSQL 16 with daily snapshots and point-in-time recovery.
  • Web tier behind a reverse proxy with rate limiting and DDoS mitigation.
  • Deployments are versioned and rollback-capable.

Monitoring & logging

  • Application errors are captured with an error-monitoring tool (final vendor pending).
  • Authentication and security-relevant events are logged with retention.
  • We do not log personal data fields beyond what's needed for security audit (e.g., we log which account changed, not the values changed).

Access controls (staff)

  • Staff access to production is limited to a small set of engineers, on a need-to-know basis.
  • All staff access uses 2FA.
  • Production database access is audit-logged.
  • No staff has access to your bank credentials — they don't exist in our systems.

Incident response

If we discover a security incident affecting your data, we will:

  • Notify affected users by email within the timeframe required by applicable law.
  • Publish a post-incident report at support.reservwise.com/legal/incidents when appropriate.
  • Cooperate with your reasonable requests for additional information.

Formal incident response runbooks are in development and will be linked here at launch.

Compliance roadmap

  • SOC 2 Type Iroadmap, target H2 2026.
  • SOC 2 Type IIroadmap, after Type I is in place.
  • GDPR — privacy controls described in our Privacy Policy; DPA available on request for EU/UK customers.
  • CCPA — California rights honored as described in the Privacy Policy.
  • PCI DSS — we do not store card data; Stripe handles payment.

We deliberately do not claim certifications we don't yet hold. Items above marked roadmap are works in progress.

Responsible disclosure

If you believe you've found a security vulnerability in ReservWise:

  • Email security@reservwise.com with a description and reproduction steps.
  • Please give us a reasonable window (typically 90 days) to fix it before public disclosure.
  • Don't access data you don't own, exfiltrate data, or perform DoS testing.
  • We will acknowledge your report within 72 hours and keep you updated as we work it.

A formal bug bounty program is on the roadmap. Until then, we credit responsible reporters publicly (with permission).

Contact

Security concerns: security@reservwise.com
General support: support@reservwise.com

All systems operational View status page →