Security

Authentication & Access Control

We use industry-standard authentication with multiple layers of protection:

• Password security: All passwords are hashed using bcrypt with 12 rounds of salting. We never store plaintext passwords. Passwords must be at least 8 characters.
• Two-factor authentication (2FA): Users can enable TOTP-based 2FA using any authenticator app (Google Authenticator, Authy, 1Password). 2FA is enforced at the middleware level — users cannot access the application without completing verification. Ten single-use backup codes are generated for account recovery.
• Single sign-on (SSO): Google OAuth and Microsoft Entra ID (O365) are supported. SSO users rely on their identity provider's MFA enforcement.
• Session management: Sessions use signed, encrypted JWTs stored in httpOnly, secure, SameSite cookies. Tokens expire automatically and cannot be accessed by client-side JavaScript.
• Role-based access control: Three roles (User, Admin, Owner) control access to administrative functions. All API endpoints verify the caller's identity and role before processing requests.

Encryption

Data is encrypted both in transit and at rest:

• In transit: All connections use TLS/HTTPS. HTTP requests are redirected to HTTPS. We enforce HSTS (HTTP Strict Transport Security) headers.
• At rest: Our database is encrypted at rest via DigitalOcean's managed PostgreSQL service. Sensitive fields — including two-factor authentication secrets and bank connection tokens — are additionally encrypted at the application level using AES-256-GCM with authenticated encryption.
• Password storage: Passwords are one-way hashed using bcrypt and cannot be reversed or decrypted.
• Backup codes: 2FA backup codes are individually bcrypt-hashed before storage. Even with database access, codes cannot be recovered.

Database & Infrastructure Security

• Managed database: PostgreSQL hosted on DigitalOcean Managed Databases with automated backups, failover, and encryption at rest.
• Network isolation: The database is firewalled to accept connections only from our application. No public access is permitted.
• Parameterized queries: All database queries use Prisma ORM with parameterized bindings, eliminating SQL injection vulnerabilities.
• Cascading deletion: When a user deletes their account, all associated data is permanently removed from the database using cascading foreign key constraints. No soft deletes or data archival.

Application Security

• Security headers: We enforce strict HTTP security headers including Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy, and Strict-Transport-Security.
• CSRF protection: Cross-site request forgery protection is enforced automatically on all authenticated endpoints via session token validation.
• XSS prevention: React's automatic output encoding prevents cross-site scripting. No unsafe HTML rendering methods are used.
• Input validation: All user input is validated server-side using Zod schemas before processing. Type checking, format validation, and bounds checking are enforced on every API endpoint.
• Containerized deployment: The application runs in isolated Docker containers using multi-stage builds on minimal Alpine Linux images, reducing the attack surface.

Third-Party Integrations

We integrate with trusted, industry-standard service providers. We share only the minimum data necessary for each integration:

• Plaid (bank linking): Bank credentials are entered directly into Plaid's secure widget — we never see or store your bank username or password. Plaid access tokens are encrypted at rest in our database. Users can revoke bank access at any time.
• Stripe (payments): All payment processing is handled by Stripe. We do not store credit card numbers or payment details. Webhook signatures are verified on every event to prevent tampering.
• Anthropic (AI insights): Financial summaries sent for AI analysis contain no personally identifiable information beyond what the user explicitly entered. Anthropic does not use API data for model training.
• Mailgun (email): Used only for transactional emails (password resets, welcome emails, invitations). No marketing tracking is enabled.

Data Privacy & Ownership

• Your data is yours: You retain full ownership of all data you enter. We do not sell, rent, or share your data with third parties for marketing or any other purpose.
• Data minimization: We collect only what is necessary to provide the Service. We do not store clinical data, client names, diagnoses, or session notes.
• Account deletion: Users can delete their account and all associated data at any time from the Settings page. Deletion is permanent and cascading — all financial records, bank connections, and account data are removed within 30 days.
• Data portability: Users have the right to export their data at any time.

For detailed information, see our Privacy Policy, Terms of Service, and Data Retention & Disposal Policy.

Organizational Security

• Access control: Production infrastructure access is restricted to authorized personnel only. Secrets are stored as encrypted environment variables in our hosting platform — never in source code.
• CI/CD pipeline: All code changes go through automated type checking, linting, and build verification before deployment. Deployments are automated via Docker builds on push to the main branch.
• Dependency management: Dependencies are locked to specific versions and regularly audited for known vulnerabilities.
• Incident response: In the event of a security incident affecting user data, we will notify affected users via email within 72 hours and take immediate steps to contain and remediate the issue.

Compliance

• HIPAA considerations: TherapyLedger does not store protected health information (PHI). We handle only financial data — dollar amounts, payer names, and expense categories. No client names, diagnoses, treatment plans, or session notes are collected or stored.
• Consent: Users must accept our Terms of Service and Privacy Policy at registration. Acceptance is timestamped. Additional consent is obtained for bank linking through Plaid's consent flow.
• Data retention: We maintain a formal Data Retention & Disposal Policy with defined retention periods for each data type, reviewed annually.