Skip to main content

Security

Haptic takes security seriously. Your financial data is protected with bank-level encryption and industry best practices.

Data Protection

Encryption at Rest

Plaid Access Tokens:
  • Algorithm: AES-256-CBC
  • Key Storage: Environment variables (never committed to code)
  • Unique IV per encryption
  • Tokens encrypted before database storage
  • Decrypted only when needed for API calls
MCP API Tokens:
  • Algorithm: SHA-256 hashing (one-way)
  • Cannot be reversed or retrieved
  • Stored as hashes only
  • Validated by re-hashing incoming tokens

Encryption in Transit

  • TLS 1.2+ for all connections
  • HTTPS only - no unencrypted HTTP
  • Certificate validation enforced
  • Perfect Forward Secrecy (PFS) enabled

What We Store

✅ Data We Store

Data TypeStorage MethodPurpose
Clerk User IDPlain textUser identification
Plaid Access TokensAES-256-CBC encryptedBank API access
MCP API TokensSHA-256 hashedMCP authentication
Account NamesPlain textDisplay in dashboard
Institution NamesPlain textDisplay in dashboard
Last Updated TimestampsPlain textStaleness tracking

❌ Data We NEVER Store

  • ❌ Account balances
  • ❌ Transaction details
  • ❌ Banking credentials
  • ❌ Account numbers
  • ❌ Routing numbers
  • ❌ SSN or Tax IDs
  • ❌ Unencrypted tokens
All financial data (balances, transactions) is fetched in real-time from Plaid and never persisted to our database.

Plaid Partnership

Bank-Level Security

Haptic uses Plaid for all bank connections. Plaid provides:
  • SOC 2 Type II certified infrastructure
  • 256-bit encryption for data transmission
  • Multi-factor authentication support
  • OAuth-based bank authentication
  • Read-only access to financial data
Your banking credentials are never sent to Haptic - they go directly to Plaid’s secure servers.

How Plaid Works

You → Plaid (enter bank credentials) → Your Bank

    Plaid issues access token

    Haptic stores encrypted token

    Uses token to fetch data when needed
Key Points:
  • Haptic never sees your bank username/password
  • Plaid connects directly to your bank
  • Access tokens are read-only (cannot move money)
  • Tokens can be revoked anytime via Plaid or your bank

Authentication Security

OAuth 2.0 (Claude Desktop, ChatGPT)

Benefits:
  • No manual token copying
  • Short-lived authorization codes
  • Automatic token rotation
  • Scoped permissions
  • User consent required
Flow: 
1. AI requests authorization
2. User redirects to Haptic
3. User signs in via Clerk
4. User authorizes specific permissions
5. Haptic issues code
6. AI exchanges code for access

Manual Tokens (Custom AI)

Security Features:
  • Prefixed with hap_ for easy identification
  • 256-bit randomness (crypto.randomBytes)
  • Hashed with SHA-256 before storage
  • Per-user token isolation
  • Revocable from dashboard
Best Practices:
  • Use OS keychain or credential managers
  • Environment variables for server apps
  • Never hardcode in source files
  • Never commit to version control
  • Generate new tokens periodically
  • Delete old tokens after rotation
  • Rotate immediately if compromised
  • Create separate tokens per AI/device
  • Name tokens descriptively (e.g., “MacBook - Poke”)
  • Easier to identify and revoke specific access

Infrastructure Security

Database (Supabase)

  • PostgreSQL with row-level security (RLS)
  • Encrypted at rest with AES-256
  • Automatic backups with point-in-time recovery
  • Network isolation with VPC
  • Access control via service role keys only

Hosting (Railway)

  • SOC 2 Type II compliance
  • Auto-scaling infrastructure
  • DDoS protection
  • Private networking
  • Secrets management via environment variables

Application

  • Express.js with security middleware
  • CORS restricted to haptic.sh domains
  • Helmet.js for HTTP headers
  • Rate limiting (future)
  • Request validation on all endpoints

Access Control

User Isolation

Every request is scoped to the authenticated user: 
// All queries filter by user_id
const { data } = await supabase
  .from('plaid_accounts')
  .select('*')
  .eq('user_id', clerkId);
No cross-user data access possible - even if a token is compromised, it only accesses that user’s data.

Subscription Gating

MCP tools require an active subscription:
  • Checked on every request
  • Validated via Polar API
  • No access without payment

Admin Access

Admin endpoints require:
  • X-Internal-Secret header (64-char random secret)
  • Only accessible from Haptic website backend
  • Never exposed to public internet
  • Separate authentication from user tokens

Compliance & Certifications

Current Status

  • HTTPS/TLS: ✅ Enforced
  • Data Encryption: ✅ AES-256-CBC + SHA-256
  • Access Controls: ✅ User isolation + RBAC
  • Audit Logging: ⚠️ Partial (MCP requests logged)
  • GDPR Compliance: ⚠️ In progress
  • SOC 2: ❌ Not yet (infrastructure partners are certified)

Third-Party Security

PartnerCertificationsPurpose
PlaidSOC 2 Type II, ISO 27001Bank connections
ClerkSOC 2 Type II, GDPRAuthentication
PolarPCI DSSPayment processing
SupabaseSOC 2 Type II, ISO 27001Database
RailwaySOC 2 Type IIHosting

Vulnerability Reporting

Found a security issue? Please report it responsibly: Email: [email protected] Please include:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information (for follow-up)
We commit to:
  • Acknowledge within 48 hours
  • Provide status updates every 7 days
  • Credit you in our security advisories (if desired)
  • Not pursue legal action for good-faith reports
Do not publicly disclose vulnerabilities before we’ve had a chance to fix them.

Security Roadmap

Planned security enhancements:
  • Rate limiting per user and IP
  • Audit logging for all MCP requests
  • 2FA support for Haptic accounts
  • Token expiration with automatic rotation
  • IP allowlisting for enterprise users
  • SOC 2 Type II certification
  • Penetration testing by third-party firm

FAQs

No. Haptic has read-only access via Plaid. We can see balances and transactions but cannot initiate transfers, make payments, or modify accounts.
Even if our database is compromised:
  • Plaid tokens are encrypted (attacker needs encryption key)
  • MCP tokens are hashed (cannot be reversed)
  • No balances or transactions stored
  • User isolation prevents cross-user access
Three ways:
  1. Delete Plaid connection from your bank’s website
  2. Remove institution from Haptic dashboard
  3. Delete MCP tokens from dashboard
No. Your financial data is never shared, sold, or used for advertising. We only share data with:
  • Plaid (for bank connections - they already have it)
  • Your AI assistant (when you explicitly request it)

Next Steps

Plaid Integration

Learn how Plaid connections work

Authentication

Set up secure authentication

Privacy Policy

Read our full privacy policy

Troubleshooting

Security-related issues