Security
What we protect, how we protect it, and what we can verify.
Bank linking via Plaid
We never store your bank credentials. Linking is handled entirely by Plaid. Learn how Plaid protects your data →
HTTPS everywhere
All traffic to our backend APIs is HTTPS-only. TLS is enforced at the Supabase layer; the app validates this at bootstrap.
Encryption at rest
Your data is encrypted at rest by Supabase (hosted on AWS), including AES-256 encryption at the storage layer.
Row-Level Security
RLS is enforced on every application table. Your data can only be accessed by you — enforced at the database layer, not just the application layer. Audited via SupaShield in CI.
Encrypted local cache
On-device data is encrypted via SQLCipher in release builds.
Vault-protected credentials
Sensitive credentials such as bank connection tokens are stored in Supabase Vault's authenticated encryption, not in plain columns.
Secrets scoped to main
Production secrets are only exposed to main branch builds. Feature and PR builds cannot access production credentials.
PIPEDA and BC PIPA
Zeteo is incorporated in British Columbia, Canada. We comply with PIPEDA and BC PIPA.
GDPR-ready
We maintain an Article 6 legal basis table for all processing activities. See our Privacy Policy for the full table.
Read-only bank sync
Plaid connections are read-only. Zeteo cannot initiate transfers, move money, or modify your accounts.
Compliance
Scope clarity
Zeteo is not SOC 2 audited. Our backend provider Supabase is SOC 2 Type 2 compliant; that's a different statement and we keep it scoped that way.
We do not currently operate a published vulnerability disclosure policy or bug bounty program. We will publish one before that absence becomes meaningful at our scale.
If you believe you've found a security vulnerability, email security@zeteoapp.com.
Trust claims are derived from Zeteo's source-of-truth governance document. See github.com/prateek-diwedi/Zeteo (private — founder access only).