Security & trust

Your money data, locked down

Finall shows your accounts in one place — it never touches your money. Here is exactly how your data is protected, in plain English, plus free independent tools you can use to check these claims yourself.

The promises

How Finall protects you

Encrypted

Your bank password never comes here

When you link a bank, you sign in on your bank's own page through Plaid — the same network used by Venmo and American Express. Finall never sees, sends, or stores your bank credentials.

Everything is encrypted

The access tokens Plaid issues are sealed with AES-256-GCM — the encryption standard banks and governments use — before they touch the database, and all traffic runs over TLS.

Read-only by design

Finall can see balances and transactions but cannot move money, pay bills, or change anything at your bank. Even if someone got into your dashboard, there is no "send money" button to press.

You stay in control

Sign-in is protected by rate-limited, server-side sessions. Every sensitive action lands in an audit log you can read, and you can disconnect any institution at any time.

Don't take our word for it

Check it yourself, free

These are independent, public security scanners. Finall cannot influence their results — anyone, including you, can run them against this site at any time.

Qualys SSL Labs ↗

Grades the strength of this site's HTTPS encryption.

SecurityHeaders.com ↗

Grades the browser protections this site switches on.

Mozilla HTTP Observatory ↗

Mozilla's overall website-security score.

Google Safe Browsing ↗

Confirms Google has not flagged this site as deceptive or unsafe.

Data practices

What we store — and what we never store

Stored, encrypted

Account names, balances, and transactions
Encrypted Plaid access tokens (AES-256-GCM)
Your email and a salted, hashed password
An audit log of sensitive actions

Never stored, never sold

Your bank username or password
Card numbers (PCI data stays with your bank)
Your data is never sold or shared with advertisers
No third-party trackers or analytics scripts

Responsible disclosure

Found a security issue?

We follow the industry-standard security.txt (RFC 9116) convention so researchers always know how to reach us. Please report issues privately to security@finallai.com — we aim to acknowledge reports within 72 hours.