Trust & Security

• TLS 1.2+ everywhere; HSTS on all production hostnames.
• Row-Level Security on every user table — server-enforced, not client-checked.
• Admin actions verified via server-side role checks (`has_role()`), never client storage.
• Secrets stored in Lovable Cloud's managed vault, never in the codebase.
• CSP, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy on all responses.
• Stripe webhooks validated by signature; JWTs verified on protected functions.
• Tamper-evident audit log of role, billing, household, and account-deletion events.
• Automated CI: lint, typecheck, unit tests, RLS tests, end-to-end auth flows, dependency scan.

Financial data you enter is stored encrypted at rest in our managed Postgres database and is only accessible to you (and household members you've explicitly invited). Uploaded documents live in private storage buckets, scoped to your user ID.

You can export or delete your account at any time from your profile. Deletion cancels active subscriptions, removes uploaded files, and erases owned rows within minutes.

We share data only with the vendors required to operate the service:

We are not currently SOC 2 certified. We follow controls aligned with the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality) and operate on infrastructure (Supabase, Stripe, Cloudflare) that maintains its own SOC 2 Type II reports. A formal audit is on our roadmap.

If we discover a breach affecting your data, we will notify affected members by email without undue delay, and in any case within 72 hours of confirmation, with the facts known at the time and the steps we are taking.

Found a vulnerability? Please email contact@atriumwealthcouncil.com with reproduction steps. Full policy at /.well-known/security.txt.