Our Security Promise: We treat your data like we'd treat our own. We use the same security measures banks use, we're transparent about our practices, and you control your data at all times.
π Core Security Principles
End-to-End Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Your information is unreadable to anyone without proper authorization.
Zero Password Storage
We never ask for or store your bank passwords. Our extension only reads data when you're already logged into your bank's website.
Read-Only Access
Stakt cannot modify your accounts, make purchases, or change any settings. We're strictly a read-only viewer of your offers.
π Authentication & Access
Secure Login Methods
- Magic Links - Passwordless authentication sent to your email
- Phone OTP - Optional two-factor authentication via SMS
- Passkeys - Modern, phishing-resistant authentication (coming soon)
- Session Management - Secure, time-limited sessions with automatic expiration
Access Controls
- Row-Level Security - Database policies ensure you only see your own data
- Token-Based Auth - Short-lived, cryptographically signed access tokens
- Device Tracking - Optional ability to view and revoke active sessions
ποΈ Data Protection
What We Store
| Data Type | Storage | Encryption |
|---|---|---|
| Email address | Hashed + encrypted | β AES-256 |
| Offer data (merchants, amounts) | Encrypted database | β AES-256 |
| Card identifiers (last 4 digits) | Encrypted | β AES-256 |
| Bank passwords | Never stored | β N/A |
| Full card numbers | Never stored | β N/A |
| Transaction history | Never stored | β N/A |
Data Residency & Backups
- Primary data storage: United States (AWS)
- Encrypted backups retained for 90 days maximum
- All backup data is encrypted with separate keys
- Geographic redundancy for disaster recovery
π Security Practices
Development & Deployment
- Code Review - All code changes reviewed by multiple engineers
- Dependency Scanning - Automated vulnerability checks on all dependencies
- Static Analysis - Automated security scanning in CI/CD pipeline
- Secrets Management - API keys and credentials stored in secure vaults, never in code
Infrastructure
- Cloud Infrastructure - SOC 2 Type II certified providers (Supabase, AWS)
- Network Security - DDoS protection, WAF, and intrusion detection
- Access Logging - Comprehensive audit logs of all administrative access
- Patch Management - Automated security updates within 24 hours of release
π Bug Bounty & Responsible Disclosure
We believe in the security community and welcome responsible disclosure of vulnerabilities.
How to Report
- Email [email protected] with details
- Use our PGP key for sensitive communications
- Allow us reasonable time to address issues before public disclosure
- Do not exploit vulnerabilities beyond what's necessary for demonstration
Our Promise
- We respond to all reports within 48 hours
- We don't take legal action against good-faith security researchers
- We publicly acknowledge contributions (with your permission)
- We reward significant findings with swag and recognition
π Compliance & Certifications
SOC 2 Type II
Our infrastructure providers maintain SOC 2 Type II certification. We're working toward our own certification.
GDPR Compliant
We respect your right to data portability, deletion, and privacy. EU users have full GDPR rights.
CCPA Compliant
California residents have full rights under the California Consumer Privacy Act.
β οΈ Incident Response
While we work hard to prevent security incidents, we have a comprehensive response plan:
- Detection - 24/7 automated monitoring and alerting
- Response Time - Security team paged immediately upon detection
- Notification - Affected users notified within 72 hours of confirmed breach
- Transparency - Public incident reports for significant issues
- Recovery - Automated failover and disaster recovery procedures
π Security Contacts
Have a security concern or question? Here's how to reach us:
Security Issues
[email protected]Privacy Questions
[email protected]Legal Matters
[email protected]For urgent security matters, include "URGENT" in the subject line and we'll prioritize your message.