Security at CarteFi

All data is encrypted at rest using AES-256 encryption, the same standard used by banks and financial institutions.

All data in transit is protected by TLS 1.3, the latest transport layer security protocol. Every connection between your browser and our servers is encrypted.

Sensitive fields like tax IDs and bank account numbers receive an additional layer of application-level encryption beyond database encryption.

Every CarteFi customer gets their own isolated database space. Your financial data is never mixed with another company's data.

Our architecture uses a technique called schema-per-tenant isolation. Think of it as each business having its own secure vault within our system.

Every request is verified to ensure you can only access your own organization's data. Cross-tenant access is architecturally prevented, not just policy-enforced.

CarteFi uses Auth0, an industry-leading authentication provider, for all login and identity management.

Multi-factor authentication (MFA) is available for all accounts and recommended for all users. You can use authenticator apps, SMS, or email verification.

Sessions are managed securely with short-lived tokens that automatically expire. Inactive sessions are terminated to prevent unauthorized access.

Role-based access control ensures team members only see and do what their role permits (viewer, editor, accountant, or admin).

CarteFi never stores credit card numbers on our servers. All payment processing is handled by Stripe, a PCI Level 1 certified payment processor.

When you accept online payments from your customers through CarteFi invoices, those payments flow through Stripe's secure infrastructure.

Bank connections through Plaid use tokenized access. CarteFi never sees your bank login credentials -- Plaid handles that directly.

Every change to your financial data is recorded in an immutable audit log. This log cannot be edited or deleted -- not even by CarteFi staff.

The audit trail captures who made each change, when they made it, and what the data looked like before and after the change.

This gives you a complete, tamper-proof record of every transaction, correction, and approval in your books.

You own your data. Period. CarteFi is a tool for managing your financial records -- we never claim ownership of your information.

Export your complete data set at any time in CSV, JSON, or QuickBooks-compatible format. This feature is free on every plan.

If you cancel your account, your data remains exportable for 90 days. After that, it is permanently deleted from our systems upon request.

We never sell, share, or monetize your financial data. Your books are your business.

CarteFi runs on secure cloud infrastructure with automated daily backups.

Database backups are encrypted and stored in a separate geographic region from the production environment.

Our infrastructure includes automated monitoring, alerting, and incident response procedures.

We maintain a disaster recovery plan with tested restore procedures to minimize downtime in the event of an outage.

CarteFi is designed with security-first principles from day one. Our architecture follows OWASP best practices for web application security.

We are working toward SOC 2 Type II certification. Our current security practices align with SOC 2 Trust Service Criteria, and we plan to begin the formal audit process as we scale.

We conduct regular security reviews of our codebase and infrastructure. Identified vulnerabilities are prioritized and resolved promptly.

We welcome responsible security disclosures. If you discover a vulnerability, please contact [email protected].