Security

Last updated: March 8, 2026

Transport Security

All data transmitted between your browser and Qomprehensive is encrypted using TLS 1.2 or higher. All API endpoints enforce HTTPS. We do not support unencrypted HTTP connections.

Token Encryption

Plaid access tokens — which authorize access to your linked bank accounts — are encrypted at the application layer before being stored in our database. Even in the event of a database breach, the tokens cannot be used without the application-layer encryption key.

Infrastructure

  • Application and database hosted on Railway with private networking — the database is not publicly accessible
  • File storage on Cloudflare R2 with presigned URLs for secure, time-limited access
  • Environment secrets managed through Railway's encrypted variable system
  • No sensitive data is logged or exposed in error messages

Access Control

Authentication is handled by Clerk, providing secure email-based OTP login without passwords. Every API route verifies:

  1. User is authenticated (Clerk middleware)
  2. User has access to the requested entity (entity membership check)
  3. User's role permits the action (Owner, Admin, or Guest)

Data Minimization

  • We only store the last 4 digits (mask) of bank account numbers — never full account or routing numbers
  • We do not collect or store Social Security numbers, government IDs, or financial institution login credentials
  • Voice recordings are stored temporarily for transcription and retained only as long as needed
  • Plaid access tokens are the only sensitive credential stored, and they are encrypted at rest

Rate Limiting

All API endpoints are protected by multi-layer rate limiting: per-IP (100 requests/minute), per-user (200 requests/minute), and per-feature limits (e.g., 10 AI messages/minute). This protects against abuse and ensures fair service for all users.

Audit Trail

All data modifications are tracked. Transactions are never hard-deleted — only soft-deleted with timestamps. Chat message logs provide a complete audit trail of all agent interactions, including which messages created or modified which records.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly by emailing [email protected] with the subject line "Security Report". We will acknowledge receipt within 24 hours.