Security
Security practices for financial data
Miyo is built for sensitive personal finance workflows. This page explains the security controls we apply today and the standards required before live Plaid-connected account data is enabled.
Account access
Passwords are hashed before storage. Miyo also supports multi-factor authentication and recovery controls for sensitive account access.
Session security includes server-side session lifecycle controls, device metadata, session invalidation after sensitive changes, and defensive rate limiting where configured.
Financial data handling
Financial records are scoped to the authenticated user and household sharing rules. Private, shared, and hidden account visibility states are treated as product security boundaries.
Plaid access tokens must be encrypted before storage, never sent to the browser, and never written to logs. Raw financial payloads should be reduced to the fields required for the user-facing feature.
Application defenses
The application sets baseline browser security headers, including frame denial, content type protection, strict referrer policy, content security policy, and production HSTS.
Secrets are expected to live in environment-managed configuration, not source control, screenshots, support messages, or client-side bundles.
Operational monitoring
Security-relevant events such as authentication changes, password changes, MFA changes, and future Plaid activity should be written to audit logs with minimal metadata.
Plaid production usage must include endpoint allowlisting, live-use budget controls, blocked endpoint enforcement, webhook verification, and alerting for sync failures or unexpected usage.
Plaid production readiness standard
Live financial account connections are not just a feature flag. They require implementation evidence that data access is intentional, observable, reversible, and cost-controlled.
- Sandbox is the default environment for development.
- Transactions is the initial Plaid product scope for budgeting and spending analysis.
- Balance, Auth, Identity, Assets, Income, Investments, Statements, Transfer, and refresh-style paid endpoints stay blocked until explicitly approved.
- Production Plaid calls require live-testing flags, item caps, connected-account caps, encrypted token storage, item removal on disconnect, and usage logging.
- Webhook payloads must be signature-verified and deduplicated before they trigger financial sync work.
Report a security issue
Send suspected vulnerabilities, account compromise reports, or sensitive data exposure concerns to security@miyo.finance. Include enough detail to reproduce the issue, but do not send live bank credentials, full account numbers, or other secrets.
We prioritize reports involving authentication bypass, unauthorized financial data access, token exposure, privilege escalation, or leakage of sensitive logs.