Trust · Security

Your records are treated like ours.

Encryption, isolation, and a small list of audited sub-processors. Fit Finance is built by a small team that takes data the way it asks customers to take their numbers — seriously.

EU data residency TLS 1.2+ in transit AES-256 at rest Row-level isolation

Six pillars, no marketing fluff

A short list of practices we actually implement. If you have a security questionnaire, send it our way.

Encryption everywhere

All traffic is TLS 1.2+. Data at rest in the database and object storage is encrypted with AES-256.

Tenant isolation by default

Every record carries an org_id. Records are isolated per-organization and enforced at the database layer via Postgres row-level security — so isolation doesn't depend on app code getting every query right.

EU data residency

Application data lives in Supabase EU (Frankfurt). Backups stay in-region. Cross-region transfers use Standard Contractual Clauses.

Hardened auth

Passwords are hashed with bcrypt. Magic-link, password reset, and trusted-device sessions rotate on a tight schedule. SSO is on the roadmap.

Audited dependencies

Dependencies are scanned as part of our pipeline. We aim to patch critical CVEs promptly (target: within ~72 hours). We avoid abandoned packages in core paths.

Honest incident response

If something goes wrong we tell you, in plain language, within 72 hours of confirming a breach — and document the fix afterwards.

Your data, recoverable.

We rely on Supabase point-in-time recovery for the database and versioned object storage for files. Backups stay inside the EU and rotate on a 30-day window. We aim to run restore drills regularly, rather than leaving recovery as a "we'll figure it out later" idea.

Recovery point objective

Target ~5 min

Continuous WAL streaming

Recovery time objective

Target ~4 hours

What we aim to recover within

Backup retention

30 days rolling

Plus monthly cold archives

Restore exercise

Regular goal

We aim to run drills routinely

A short, named list.

We list every vendor that touches customer data. Material changes are announced in-app.

We don't currently hold SOC 2 or ISO 27001 — here's what we do instead: EU data residency, encryption in transit and at rest, database-level tenant isolation, and a short, named list of sub-processors you can audit yourself.

Provider Purpose Region
Supabase Database, auth, file storage EU (Frankfurt)
Cloudflare CDN, DDoS protection, edge Global edge
Stripe Subscription billing & payments Ireland / US
Resend Transactional email delivery EU / US
Sentry Error monitoring (no PII payloads) EU (Frankfurt)

Found something? Tell us.

If you believe you've found a security issue, email us privately. We commit to acknowledge within 48 hours, give you a fix timeline, and credit you publicly if you'd like — once the issue is resolved.