Security & Privacy Documentation

We Protect Your Financial Data Like It's Our Own

Budget Aurora is built on enterprise-grade infrastructure with security controls aligned to the SOC 2 Trust Services Criteria. This page explains exactly how we collect, store, protect, and handle your data.

256-bit AES encryption at restTLS 1.3 in transitZero credential storageRead-only bank access via PlaidGoogle Cloud infrastructure
Who We Are

Budget Aurora — Clear Company Identity

We believe you should know exactly who is handling your financial information.

The Product

Budget Aurora is a personal and household finance management platform. We help individuals, couples, and families manage shared finances, track spending, crush debt, and plan for the future — all in one place.

Our Mission

To make financial clarity accessible to everyone. We build tools that give households an honest, real-time picture of their financial health — without selling your data or compromising your privacy to do it.

Technology Stack

  • Frontend: Next.js, hosted on Vercel
  • Database: Google Cloud Firestore
  • Authentication: Firebase Authentication
  • Bank Connections: Plaid
  • File Storage: Firebase Storage (Google Cloud)

Contact

Security or privacy concerns? security@budgetaurora.com

We respond to all security inquiries within 48 hours.

Security Controls

SOC 2-Aligned Security Practices

Our security posture is designed around the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Encryption

All user data is encrypted at rest using AES-256, provided by Google Cloud's default encryption layer on Firestore and Cloud Storage.

All data in transit is protected using TLS 1.3. Unencrypted HTTP connections are rejected.

Authentication & Access Control

User identity is managed by Firebase Authentication (Google). Passwords are hashed using bcrypt and never stored in plain text by Budget Aurora.

Session tokens are stored in httpOnly, Secure, SameSite=Strict cookies — preventing XSS and CSRF attacks.

Data Isolation

Every user's data is scoped to their unique Firebase UID. Firestore Security Rules enforce these boundaries at the database level — a malformed query cannot access another user's data.

Bank Connections (Plaid)

Bank account linking is handled entirely by Plaid's OAuth-style flow. Budget Aurora never sees or stores your banking username, password, or MFA codes.

We hold read-only access tokens. We cannot initiate transactions.

Continuous Monitoring

Google Cloud provides continuous infrastructure monitoring, DDoS protection, and automated vulnerability scanning. Anomalous access patterns trigger real-time alerts.

Infrastructure Availability

Budget Aurora runs on Google Cloud (Firestore, Firebase Auth) with a 99.95% uptime SLA. Vercel's global edge network handles frontend delivery with automatic failover.

Internal Access Controls

Access to production systems is limited to authorized engineers using role-based access controls. All admin actions are logged and auditable.

Incident Response

We maintain an incident response plan covering detection, containment, notification, and post-incident review. Affected users are notified promptly in the event of a breach.

Regulatory Status — No KYC Required

Budget Aurora is a read-only budgeting tool. We never hold, move, or process your money. This means we are not classified as a Money Service Business (MSB) or financial institution under US law (BSA/FinCEN), so KYC identity verification requirements do not apply to us.

Your bank connection is handled by Plaid, who manages that compliance layer. We intentionally keep our scope narrow so we never need to collect government-issued ID from you.

Data Architecture

How Your Data Is Stored

A transparent breakdown of exactly where each type of data lives and how it is protected.

Profile Data

Name, email, phone, avatar image

Storage

Firestore (Google Cloud) — AES-256 at rest

Access Control

You only. Firestore rules deny all cross-user reads.

In Transit

TLS 1.3

Financial Accounts

Account names, balances, account types

Storage

Firestore (Google Cloud) — AES-256 at rest

Access Control

You only. Scoped to your UID.

In Transit

TLS 1.3

Bank Connection Tokens

Plaid access tokens (not your credentials)

Storage

Firestore, encrypted at rest. We store tokens, not credentials.

Access Control

Server-side only. Never exposed to the frontend.

In Transit

TLS 1.3 + Plaid API security

Transactions

Transaction amount, merchant, date, category

Storage

Firestore (Google Cloud) — AES-256 at rest

Access Control

You only. Household members can be granted shared access explicitly.

In Transit

TLS 1.3

Authentication Tokens

Firebase ID tokens, session cookies

Storage

httpOnly, Secure cookies in the browser

Access Control

Not accessible to JavaScript (XSS-safe)

In Transit

TLS 1.3, SameSite=Strict (CSRF-safe)

Avatar / Uploaded Images

Profile photos

Storage

Firebase Storage (Google Cloud) — AES-256 at rest

Access Control

Served via signed URLs. No public listing.

In Transit

TLS 1.3

Our Commitments

What We Will Never Do

  • Sell your financial data to third parties
  • Store your bank username or password
  • Initiate transactions or move your money
  • Share your data with advertisers
  • Store plain-text passwords
  • Access your data without your permission
  • Use your data to train AI/ML models without consent
  • Retain your data after account deletion
  • Collect government-issued ID or run identity verification (KYC) checks — we are a read-only budgeting tool, not a financial institution or money transmitter
Data Rights

Retention, Deletion & Your Rights

Data Retention

We retain your data for as long as your account is active. Inactive accounts may be flagged after 24 months of inactivity, with prior email notice before any deletion. Analytics data is aggregated and anonymized after 90 days.

Account Deletion

You can permanently delete your account and all associated data from Profile & Settings → Security → Danger Zone. Deletion is immediate and irreversible. Plaid access tokens are revoked at the same time.

Your Rights (GDPR / CCPA)

  • Right to access your data
  • Right to correct inaccurate data
  • Right to delete your data
  • Right to data portability
  • Right to opt out of non-essential processing

Third-Party Processors

  • Plaid — bank connection tokens, read-only
  • Google Firebase — auth, database, file storage
  • Vercel — frontend hosting and edge delivery

All processors are contractually bound to GDPR-compliant data processing agreements.

Responsible Disclosure

If you discover a security vulnerability in Budget Aurora, please report it responsibly. We investigate all reports and respond within 48 hours.

Last updated: July 2026 · Privacy Policy · Terms of Service

Powered byFinancial Freedom for Every Household
Budget Aurora | Budgets Made Simple