Your records are treated like ours.
Encryption, isolation, and a small list of audited sub-processors. Fit Finance is built by a small team that takes data the way it asks customers to take their numbers — seriously.
How it works
Six pillars, no marketing fluff
A short list of practices we actually implement. If you have a security questionnaire, send it our way.
Encryption everywhere
All traffic is TLS 1.2+. Data at rest in the database and object storage is encrypted with AES-256.
Tenant isolation by default
Every record carries an org_id. Records are isolated per-organization and enforced at the database layer via Postgres row-level security — so isolation doesn't depend on app code getting every query right.
EU data residency
Application data lives in Supabase EU (Frankfurt). Backups stay in-region. Cross-region transfers use Standard Contractual Clauses.
Hardened auth
Passwords are hashed with bcrypt. Magic-link, password reset, and trusted-device sessions rotate on a tight schedule. SSO is on the roadmap.
Audited dependencies
Dependencies are scanned as part of our pipeline. We aim to patch critical CVEs promptly (target: within ~72 hours). We avoid abandoned packages in core paths.
Honest incident response
If something goes wrong we tell you, in plain language, within 72 hours of confirming a breach — and document the fix afterwards.
Backups & recovery
Your data, recoverable.
We rely on Supabase point-in-time recovery for the database and versioned object storage for files. Backups stay inside the EU and rotate on a 30-day window. We aim to run restore drills regularly, rather than leaving recovery as a "we'll figure it out later" idea.
Recovery point objective
Target ~5 min
Continuous WAL streaming
Recovery time objective
Target ~4 hours
What we aim to recover within
Backup retention
30 days rolling
Plus monthly cold archives
Restore exercise
Regular goal
We aim to run drills routinely
Sub-processors
A short, named list.
We list every vendor that touches customer data. Material changes are announced in-app.
We don't currently hold SOC 2 or ISO 27001 — here's what we do instead: EU data residency, encryption in transit and at rest, database-level tenant isolation, and a short, named list of sub-processors you can audit yourself.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, file storage | EU (Frankfurt) |
| Cloudflare | CDN, DDoS protection, edge | Global edge |
| Stripe | Subscription billing & payments | Ireland / US |
| Resend | Transactional email delivery | EU / US |
| Sentry | Error monitoring (no PII payloads) | EU (Frankfurt) |
Responsible disclosure
Found something? Tell us.
If you believe you've found a security issue, email us privately. We commit to acknowledge within 48 hours, give you a fix timeline, and credit you publicly if you'd like — once the issue is resolved.