BBoss Finances
Trust · Security

Security at Boss Finances

The controls, practices, and commitments that keep your money data safe.

Effective: April 16, 2026Last updated: April 16, 2026
Security is non-negotiable.Your financial data is some of the most sensitive information you have. We treat it that way. Below is a plain-English summary of the controls we use to protect it.

1. Encryption

  • In transit: all traffic to and from Boss Finances is encrypted with TLS 1.2 or higher.
  • At rest: all member data is encrypted using AES-256 on managed cloud infrastructure.
  • Secrets: API keys and credentials are stored in an encrypted secrets manager with strict access controls and audit logging.

2. Bank Linking via Plaid

We never see or store your bank credentials. Bank linking is handled entirely by Plaid, which provides Boss Finances with read-only access to your account data. We cannot move money, initiate transfers, or change anything in your accounts through Plaid.

3. Access Controls

  • Least privilege: Boss Finances personnel can access member account data only when necessary to provide support or comply with a legal obligation.
  • Full audit logging: all internal access to member data is logged and reviewed.
  • MFA required: all employees and contractors are required to use phishing-resistant multi-factor authentication.
  • SSO + provisioning: internal access is centrally managed and revoked immediately on offboarding.

4. Independent Testing

  • Annual third-party penetration testing conducted by an independent security firm.
  • Continuous vulnerability scanning across our application, dependencies, and infrastructure.
  • Responsible disclosure: we welcome reports from security researchers — see Section 8.

5. Compliance Roadmap

  • SOC 2 Type I attestation — targeted by end of Q3 2026.
  • SOC 2 Type II attestation — targeted by Q2 2027.
  • GDPR & CCPA / CPRA: we honor data access, correction, and deletion rights regardless of where you live.

6. What We Don't Collect

The simplest way to keep data safe is not to collect it in the first place.

  • We do not collect Social Security numbers or tax identification numbers.
  • We do not collect full bank account or routing numbers.
  • We do not collect biometric identifiers.
  • We do not buy personal information from data brokers.

7. Incident Response

In the event of a confirmed data breach affecting your information, we will notify you in accordance with applicable law, typically within seventy-two (72) hours of discovery, with clear information about what happened and what to do next.

8. Reporting a Vulnerability

If you believe you have found a security vulnerability in Boss Finances, please report it to security@bossfinances.ai. We commit to:

  • acknowledge your report within 2 business days,
  • provide an initial assessment within 5 business days,
  • not pursue legal action against good-faith security research,
  • credit you publicly (with your permission) once a fix is shipped.

9. Account Security Tips

  • Use a unique, strong password for your Boss Finances account.
  • Enable two-factor authentication (2FA) when available in settings.
  • If you suspect unauthorized access, email security@bossfinances.ai immediately.

10. Contact

Security team: security@bossfinances.ai
Mail: Boss Finances Inc., Attn: Security, 777 Brickell Avenue, Suite 500, Miami, FL 33131, USA

Questions?

Talk to a human.

Email legal@bossfinances.ai for legal questions, or privacy@bossfinances.ai for privacy requests. We respond within 15 business days.

Privacy PolicyTerms of ServiceFinancial DisclosuresSecurity