Skip to main content
Your Data, Protected

Security you can trust

Your financial data is sacred. We use strong encryption and security best practices to keep it protected.

Data Encryption

Active

AES-256 encryption at rest and TLS 1.3 in transit.

Privacy-First Design

Active

We minimize data collection and never sell your data.

Secure Payments

Active

All billing handled by Stripe, a PCI Level 1 certified processor.

Continuous Monitoring

Active

Error tracking and uptime monitoring via Sentry and BetterUptime.

Security Best Practices

We implement industry-leading security practices across every layer of our infrastructure.

Data Protection

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Daily encrypted backups
  • Sensitive tokens encrypted before storage

Access Control

  • Role-based access control (RBAC)
  • JWT-based session management
  • Account lockout after failed attempts
  • Secure password hashing

Infrastructure

  • Hosted on Railway with managed PostgreSQL
  • Automated deployments
  • Environment variable encryption
  • HTTPS enforced on all endpoints

Application Security

  • Input sanitization (XSS prevention)
  • Rate limiting via Upstash Redis
  • CSRF protection
  • Sentry error monitoring
SECURITY

Have security questions?

We're happy to discuss our security practices and answer any questions about how we protect your data.

Contact usPrivacy policy
Privacy Policy
Terms of Service
Security FAQ
Contact Security

Security FAQ

How is my financial data protected?

All financial data is encrypted using AES-256 encryption at rest and TLS 1.3 in transit. We never store raw banking credentials—all bank connections go through Plaid with tokenized access.

Who can access my data?

Only you and team members you explicitly invite can access your data. Our engineering team cannot view your data without explicit written permission for support purposes, and all access is logged.

Where is my data stored?

Data is stored securely in managed PostgreSQL on Railway’s infrastructure in the United States with regular backups.

How do you handle data breaches?

In the unlikely event of a breach, affected customers are notified promptly with full transparency about the scope and remediation steps.

Can I export or delete my data?

We’re building self-service data export. In the meantime, contact us at [email protected] to request your data or account deletion.

Do you sell my data?

Absolutely not. We never sell, share, or monetize your data. Your financial information is used solely to provide the culta.ai service to you.

Have security questions?

Our security team is happy to answer any questions about how we protect your data.

Contact security team