Trust
Security
Statement
Last updated: June 1, 2026
This page explains in plain English how 7 Pillars protects your financial data. No legal jargon. If you have a question that isn't answered here, email us at security@7pillars.app.
Our commitments
What we promise
✓
Read-only access, always. Sophia can see your accounts but cannot move money, initiate payments, or make changes to your financial accounts. This is enforced at the infrastructure level — not just a policy.
✓
We never see your bank password. All bank connections are established through Plaid. Your credentials go directly to Plaid's encrypted system — they never pass through 7 Pillars servers.
✓
Your data is never sold. 7 Pillars is a subscription business. Your financial data is not our product and never will be. We do not sell, rent, or share your data with advertisers or data brokers.
✓
You can disconnect anytime. Remove any connected account from Settings at any time. Your data is deleted within 30 days of account closure.
✓
We will notify you of breaches. In the unlikely event of a security incident affecting your data, we will notify you promptly and in accordance with applicable law.
Technical details
How we protect your data
🔐
Encryption in transit
All data between your device and our servers is encrypted using TLS 1.2 or higher — the same standard used by banks and financial institutions.
🗄️
Encryption at rest
All data stored in our database is encrypted at rest using AES-256 encryption. This includes your financial data, transaction history, and profile information.
🛡️
Row-level security
Every database table is protected by Row Level Security. Your data is cryptographically isolated — no user can ever access another user's data.
⚡
Rate limiting
All API endpoints are rate-limited to prevent abuse. Sophia's AI endpoint has a hard cap of 20 requests per user per hour.
🔑
Authentication
User authentication is managed by Clerk, an enterprise-grade authentication provider. Session tokens are short-lived and automatically invalidated on logout.
📎
Secure file storage
Receipt uploads and documents are stored in private cloud storage. Files are only accessible via time-limited signed URLs — direct public access is disabled.
Section 03
How Plaid keeps your bank data safe
7 Pillars uses Plaid to connect to your financial accounts. Plaid is trusted by over 8,000 financial apps and used by millions of Americans.
- When you connect a bank account, Plaid opens a secure authentication window. You enter your bank credentials directly into Plaid's interface — not ours.
- Plaid verifies your identity with your bank and returns a secure token to 7 Pillars. This token allows us to read your account data but cannot be used to initiate transactions.
- Your bank password is never transmitted to or stored on 7 Pillars servers at any point in this process.
- Plaid's security infrastructure is audited under SOC 2 Type II.
You can review Plaid's security practices at plaid.com/safety.
Section 04
Our infrastructure
- Backend servers hosted on Railway, with automatic deployment and environment variable isolation.
- Frontend hosted on Vercel with global CDN distribution and HTTPS enforced on all routes.
- Database hosted on Supabase, with automatic backups, point-in-time recovery, and Row Level Security enforced on all tables.
- API keys and secrets are stored exclusively in environment variables and never committed to source code repositories.
- Production and staging environments are fully separated — no test data ever touches production systems.
Section 05
Responsible disclosure
If you discover a security vulnerability in 7 Pillars, please email security@7pillars.app with a description of the issue and steps to reproduce it before disclosing publicly.
We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities as quickly as possible.
Section 06
Questions
7 Pillars Security
Email: security@7pillars.app
Minneapolis, Minnesota, United States