Tools Sign In Upgrade Now

Security

Your data is locked.
Not just encrypted.

We treat your financial data with the same seriousness as the IRS does. Every layer of .fylr is built with security as the default, not an afterthought.

πŸ”’
AES-256 Encryption
All data at rest is encrypted using AES-256. Passwords are hashed with bcrypt with a configurable cost factor β€” never stored in plain text.
🏦
Plaid-Certified Banking
Bank connections use Plaid's OAuth-based Link flow. We never see or store your banking credentials β€” only read-only access tokens.
πŸ”‘
Fernet Key Rotation
Sensitive fields are encrypted using Fernet symmetric encryption. Key rotation is supported β€” account deletion triggers cryptographic key wipe.
πŸ›‘οΈ
Security Headers
Every response includes HSTS, X-Frame-Options (DENY), X-Content-Type-Options, and XSS protection headers enforced at the application layer.
⏱️
Rate Limiting
Auth endpoints are rate-limited to prevent brute-force attacks. Login is capped at 10 requests/min, registration at 5 requests/min.
πŸ“‹
SOC 2 β€” In Progress
We are actively working toward SOC 2 Type II compliance. Our audit trail, access controls, and incident response procedures are documented and under review.

Data in Transit

All traffic to usefylr.app is served exclusively over HTTPS with TLS 1.2+. HTTP connections are automatically upgraded. HSTS is enforced with a 1-year max-age and includeSubDomains, preventing downgrade attacks.

Responsible Disclosure

Found a security issue? We appreciate responsible disclosure. Please email us at security@usefylr.app and we will respond within 48 hours. Please do not publicly disclose vulnerabilities until we have had a chance to address them.

We do not currently operate a bug bounty program, but we acknowledge all valid reports.