Security
Splits is a ledger, not a money transmitter. We never see your bank credentials and we never move money on your behalf — payments settle off-platform via Venmo or Cash App deep links. This page covers how we protect the data we *do* hold (your splits, your friend graph, and the read-only bank feed that powers recurring-bill detection).
Last reviewed 2026-05-18. Security or privacy report? security@splitshq.com.
Bank linking
We use Plaid to read transactions from your bank. You enter bank credentials into Plaid's sheet — not ours — so Splits never sees them. Plaid returns an access token that we can use to pull read-only transactions; that token is encrypted at the application layer with AES-256-GCM (a unique 12-byte IV per record, an authenticated tag, and a key derived via scrypt) before it touches our database. It is decrypted only at the moment of use and is never logged or returned from an API.
Two-factor authentication
We text you a 6-digit code whenever you do something sensitive — connecting a bank, changing your phone number or payment handles, deleting your account, or rotating your password. Routine logins don't prompt you; the device that cleared the most recent challenge is remembered for 30 days. A few actions always re-challenge regardless of that 30-day grace period: changing your phone number, removing a two-factor method, and deleting the account — so a borrowed laptop can't lock the real owner out.
Power users can switch to an authenticator app (1Password, Authy, Google Authenticator) in Settings → Security. Codes never go over SMS in that mode.
Database isolation
Every user-facing table enforces row-level security in Postgres, so a query mounted on one user's session can never read another user's rows. Sensitive writes (notifications, friend requests) go through audited SECURITY DEFINER functions that re-verify the caller's identity, so a compromised client can't fabricate them. Every server route and server action re-checks the session before any database read or write as a second line of defense.
Encryption in transit and at rest
- In transit: TLS 1.3 (minimum 1.2) for all production traffic. Upstream calls to Supabase and Plaid are TLS 1.2+.
- At rest: Supabase Postgres encrypts the storage volume with AES-256. Plaid access tokens are additionally encrypted at the application layer (AES-256-GCM) before storage.
- Secrets: All credentials live in Vercel environment variables — never in the repository. Codebase access is restricted to a small, MFA-protected team. GitHub secret scanning + push protection are enabled to catch accidental commits.
Vulnerability management
Dependencies are kept current by Dependabot (weekly grouped pull requests). Every CI build runs pnpm audit at the high-severity threshold and fails on new advisories. CodeQL static analysis runs on every pull request, every push to main, and on a weekly schedule against the security-extended query suite. Critical and high advisories are remediated within 7 days; medium within 30. Direct alert dismissals are blocked — every dismissal goes through an approval flow.
Webhook integrity
Plaid webhooks are validated against Plaid's published JWK (ES256 JWT), with a SHA-256 body hash check and a 5-minute timestamp window. Anything unverified is dropped with a 401 — no state is updated.
Data retention
You can delete your account from Settings → Danger zone at any time. Deletion revokes Plaid access immediately and removes your profile, friendships, splits, linked banks, transactions, notifications, and push subscriptions within 7 days. Operational logs and database point-in-time backups roll off on a 30-day rolling window.
Incident response
If something goes wrong: we detect via monitoring or a security report, triage within 4 business hours, contain (rotating credentials and revoking sessions as needed), notify affected users by email within the applicable deadline, and write a blameless postmortem within 7 days.
Detailed policies
The sections above are the plain-language summary. Our formal policies are available as PDFs for review:
- Information Security Policy (PDF) — governance, principles, encryption, and incident response.
- Vulnerability Management Policy (PDF) — scanning, classification, and remediation SLAs.
- Data Retention and Disposal Policy (PDF) — retention windows and deletion procedures by data category.
- Privacy Policy (PDF) — full formal version of the privacy summary.
Reporting a vulnerability
Please use a private channel — email security@splitshq.com with a description, reproduction steps, and (if known) a suggested fix. We acknowledge within two business days and provide a triage update within five. Good-faith researchers who follow responsible disclosure are safe from any kind of legal pursuit by us.
Privacy and data requests: privacy@splitshq.com.