Security at ChillFile.

We handle financial data. We take that seriously. Here's how we protect it.

Encryption

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Sensitive fields like SSNs use additional field-level encryption via a dedicated key management service.

Access controls

Our database uses row-level security — even if there were a bug in our application code, one user's data cannot be returned to another user. Every query is scoped to your user ID at the database level.

Infrastructure

Frontend: Vercel (SOC 2 Type II)
Database: Supabase (SOC 2 Type II)
Banking: Plaid (SOC 2 Type II, ISO 27001)
Payments: Stripe (PCI DSS Level 1)

We are pursuing SOC 2 Type I certification for ChillFile itself.

Read-only bank access

We never see your bank password. Plaid handles authentication directly with your bank. We cannot move, transfer, or withdraw money. Our access is read-only. You can revoke it anytime from your dashboard.

Vulnerability disclosure

Found a vulnerability? Email security@chillfile.com. We respond within 24 hours. We don't have a formal bug bounty yet, but we appreciate responsible disclosure and will credit you publicly (with your permission).

Breach notification

If we discover a data breach affecting your personal information, we will notify you within 72 hours via the email on your account.