RealMargin
Log inStart free β†’

Security

Your data is safe with us.

RealMargin connects to your most sensitive financial data β€” your Shopify store, bank accounts, and ad spend. We take that responsibility seriously. Here’s exactly how we protect it.

πŸ”’

Encryption in Transit

All data between your browser and our servers is encrypted using TLS 1.3, the current industry standard. We enforce HTTPS across every endpoint and reject insecure connections. Our TLS certificates are managed by Vercel with automatic renewal.

πŸ—„οΈ

Encryption at Rest

Your financial data is stored in a Neon PostgreSQL database with AES-256 encryption at rest. Neon runs on AWS infrastructure in the us-east-1 region with multiple availability zones for redundancy. Database backups are encrypted and retained for 7 days.

🏦

Read-Only Bank Access via Plaid

Bank connections use Plaid's OAuth 2.0 flow. We never see or store your banking username or password. Plaid provides us with a read-only access token that we use to fetch transaction history and balances. You can revoke this access at any time from the Settings page, and it immediately becomes invalid.

πŸ›‘οΈ

No Credential Storage

We do not store Shopify admin passwords or bank login credentials in any form. Shopify integrations use OAuth access tokens scoped to the minimum permissions required (orders, payouts, products). Meta integrations use system user access tokens with read-only permissions.

πŸ”‘

Access Control

All production database access is controlled through environment secrets with no hardcoded credentials in source code. Internal access to production systems is limited to authorised personnel only and requires multi-factor authentication. We apply the principle of least privilege to all service accounts.

☁️

SOC 2 Compliant Infrastructure

Our infrastructure runs on Vercel (compute) and Neon (database), both of which maintain SOC 2 Type II certifications. Our email delivery (Resend) and SMS (Twilio) providers maintain their own independent compliance programmes.

πŸ“Š

Audit Logging

We maintain server-side logs of authentication events, data access patterns, and integration activity. These logs are retained for 90 days and used to detect anomalous behaviour.

πŸ”„

Dependency Management

We monitor our open-source dependencies for known vulnerabilities using automated tooling. Critical security patches are applied as a priority. Our codebase is reviewed regularly for security issues.

Responsible Disclosure

If you discover a security vulnerability in RealMargin, we ask that you disclose it to us privately before making it public. We commit to:

  • Acknowledge your report within 48 hours
  • Investigate and patch confirmed vulnerabilities promptly
  • Credit researchers who report valid issues (with their permission)
  • Not pursue legal action against good-faith security researchers
πŸ” security@realmargin.com

Questions about our security practices?

Contact us at security@realmargin.com