At CashedUp, security is a core pillar of our product design and engineering culture. We understand that your financial data is highly personal, and we are committed to protecting it with a security-first architecture.
This Security Trust Center details the technically accurate, industry-standard controls we employ to safeguard your personal and financial information.
1. Data Encryption
We ensure your data is shielded both in transit across the internet and when stored securely on our servers.
- Encryption in Transit: All communications between your web browser or desktop client and our application servers are encrypted using modern Transport Layer Security protocol (TLS 1.3 and TLS 1.2 with strong cipher suites). This prevents eavesdropping and tampering.
- Encryption at Rest: Sensitive database records, user information, and transaction backups are encrypted at rest using Advanced Encryption Standard (AES-256).
2. Infrastructure & Hosting Partners
We deploy our application and database environments on world-class, trusted infrastructure providers with robust security compliance profiles:
- Vercel Platform: Our frontend application is served securely via Vercel’s globally distributed Edge Network, providing built-in DDoS mitigation, firewall protections, and automatic HTTPS enforcement.
- Supabase (AWS): Our relational databases and authentication systems are hosted by Supabase within secure Amazon Web Services (AWS) data centers located in Sydney, Australia. This ensures your data remains on Australian soil and is protected by physical security controls, redundant power grids, and round-the-clock monitoring.
3. Account Protection & MFA
A secure system relies on strong access controls. We provide tools to help you secure your own account boundaries:
- Multi-Factor Authentication (MFA/2FA): We fully support and encourage Time-Based One-Time Password (TOTP) MFA. You can configure this via your settings dashboard using standard authenticator apps (e.g., Google Authenticator, Authy, or 1Password) to add an extra layer of protection beyond your password.
- Secure Session Management: Sessions are tracked with secure, HttpOnly, SameSite cookies to protect against Cross-Site Scripting (XSS) and Session Hijacking.
4. Open Banking Security (Basiq Partnership)
If you use automated bank feeds:
- CDR-Accredited Ecosystem Partner: All bank feeds are processed via Basiq Pty Ltd, a trusted data aggregator and accredited data recipient under the Australian Consumer Data Right (CDR).
- Read-Only Feeds: The connection established is strictly read-only. CashedUp can only view transaction histories and balances. We can never move money, authorize payments, or modify your accounts.
- No Password Storage: CashedUp never asks for, sees, or stores your bank login credentials or passwords. The linking process occurs via secure Open Banking OAuth channels directly with your banking institution.
5. Local-First Desktop Option
For wealth builders who prefer maximum privacy and custody of their data:
- We offer the CashedUp Local Desktop App.
- This option stores your database entirely on your local machine rather than the cloud.
- Your financial details are not transmitted to or stored on our servers.
6. Continuous Monitoring & Updates
- Dependency Auditing: We run automated vulnerability scanning on our codebase dependencies to catch and patch software security issues before they reach production.
- Regular Patches: Next.js framework updates, Supabase database updates, and server OS updates are regularly reviewed and deployed.
7. Responsible Vulnerability Disclosure
We welcome feedback and reports from independent security researchers to help keep our community safe.
If you discover a potential security vulnerability in our application, please report it to us immediately at security@cashedup.com.au.
- Please provide detailed, reproducible steps.
- We ask that you give us reasonable time to investigate and remediate the issue before disclosing it publicly.
- We commit to acknowledging and responding to your report within 48 hours.