Security

CardSheet is built with security as a priority. Here's how we protect your data.

PDF Handling

Your PDF is encrypted during upload and deleted immediately after processing.

We never store your original PDF files. After our AI extracts the transaction data, the PDF is permanently deleted. We only keep the extracted transaction information, which you can view and export anytime.

Data Encryption

  • In Transit: All data is encrypted using TLS 1.3 during transmission between your browser and our servers.
  • At Rest: Your data is stored in encrypted databases with AES-256 encryption.
  • File Uploads: PDFs are encrypted immediately upon upload and processed in isolated environments.

Authentication

We use OAuth 2.0 through Google for authentication. This means:

  • No Passwords Stored: We never see or store your password. Authentication is handled entirely by Google.
  • Secure Sessions: Session tokens are cryptographically signed and expire automatically.
  • Easy Revocation: You can revoke CardSheet's access anytime from your Google account settings.

Infrastructure

  • Hosting: Our application runs on Railway, with servers in secure data centers.
  • Database: PostgreSQL with automatic backups and encryption at rest.
  • File Storage: Temporary files are stored in AWS S3 with server-side encryption, then deleted after processing.

AI Processing

Your data is never used to train AI models.

We use OpenAI's API to extract transactions from your statements. Your data is processed according to OpenAI's enterprise data protection policies, which include:

  • No training on customer data
  • Data is not retained after processing
  • SOC 2 Type 2 certified infrastructure

What We Don't Do

  • No Bank Connections: We never connect to your bank accounts. We only process PDFs you upload.
  • No Data Selling: Your data is never sold or shared with third parties for marketing.
  • No Tracking: We use minimal analytics (Plausible) that doesn't track individual users.
  • No Third-Party Ads: We don't display ads or share data with ad networks.

Data Ownership

Your data belongs to you. You can:

  • Export Everything: Download all your transactions in CSV or Excel format anytime.
  • Delete Statements: Remove individual statements and their transactions instantly.
  • Delete Your Account: Permanently delete all your data from Settings. Deletion is immediate and irreversible.

Our Commitment

CardSheet is built by a small team. We don't have enterprise budgets for SOC 2 certifications (yet), but security is non-negotiable. We follow industry best practices, keep dependencies updated, and treat your financial data with the care it deserves.

Questions about security? Contact us at hello@cardsheet.app.