SECURITY

Your Financial Data is Our Top Priority

Valcentra is built with security at every layer — from how you log in to how your data is stored and transmitted.

Bank-level encryption • Read-only access • No stored credentials

Security at Every Layer

We've implemented industry-standard security practices across authentication, data storage, transmission, and third-party integrations.

256-Bit AES Encryption

All data stored in Valcentra's database is encrypted at rest using AES-256, the same standard used by the US government and major financial institutions. Your financial data is unreadable without the encryption keys.

TLS 1.3 In Transit

Every request between your browser and Valcentra's servers is encrypted using TLS 1.3 — the latest and most secure transport protocol. Man-in-the-middle attacks are effectively impossible.

Read-Only Bank Access

Valcentra connects to your bank via Plaid using read-only tokens. We can see your transactions and balances — but we can never initiate transfers, make payments, or move money in any way.

No Stored Credentials

Valcentra never stores your banking username or password. Authentication is handled entirely by Plaid's secure OAuth flow, which issues a limited-access token that can be revoked at any time.

Clerk Authentication

User accounts are managed by Clerk — an enterprise-grade authentication platform used by thousands of companies. Clerk handles password hashing, session management, MFA, and brute-force protection.

Token Rotation & Expiry

Session tokens are short-lived and automatically rotated. Household invite codes expire after 7 days. All authentication tokens are signed with JWT secrets that are never exposed to the client.

Security Best Practices

Every aspect of Valcentra's infrastructure follows industry security standards.

Passwords are never stored in plaintext — only bcrypt hashes

All API endpoints require authentication — no public data exposure

Database access is restricted to server-side code only

Environment secrets are injected at runtime — never committed to code

HTTPS enforced on all routes — HTTP requests are rejected

Rate limiting applied to all authentication endpoints

SQL injection prevented via parameterized queries (Drizzle ORM)

XSS protection via React's built-in escaping and CSP headers

Powered by Plaid — Trusted by Millions

Valcentra uses Plaid for all bank connections — the same technology trusted by Venmo, Robinhood, Acorns, and thousands of other fintech companies. Plaid is SOC 2 Type II certified and compliant with financial data regulations.

SOC 2 Type II ISO 27001 CCPA Compliant GDPR Ready

Responsible Disclosure

If you discover a security vulnerability in Valcentra, please report it responsibly to [email protected]. We take all reports seriously and will respond within 48 hours. We do not pursue legal action against good-faith security researchers.

Trust Your Finances to Valcentra

Built with security-first architecture so you can focus on your financial goals — not your data safety.