Legal
Security & Encryption
Last reviewed: July 4, 2026 · Numerus LLC · San Juan, Puerto Rico
Numerus handles financial data that belongs to you. This page describes the concrete controls in place today. It is not a certification statement — for formal attestation reports from our infrastructure partners, contact us.
Encryption in transit
- All traffic between your browser and Numerus uses TLS 1.2 or higher.
- Traffic between Numerus and our database, Plaid, Stripe, and email providers uses TLS 1.2+ enforced by each provider.
- HSTS is enabled on our production domain.
Encryption at rest
- Postgres database volumes and backups are AES-256 encrypted at rest by our hosting provider.
- Uploaded documents (bank statements, receipts) live in encrypted object storage, gated per-user by signed URLs.
- Plaid access tokens and third-party API keys are stored as server-only secrets — they never reach the browser.
Access control
- Every table with user data uses Row-Level Security policies scoped to your account. Even a bug in one query can't return another user's rows.
- Privileged operations (billing webhooks, account deletion) run on the server and verify the caller before touching data.
- Two-factor authentication (TOTP) is available in Settings → Security. We strongly recommend enabling it.
What we never store
- Your online-banking username or password. Plaid handles the credential exchange; we only receive a read-only access token.
- Full credit-card numbers. Stripe (PCI-DSS Level 1) handles all card data; we receive only a token and the last 4 digits.
- Government IDs, SSNs, or documents you did not upload.
Third-party processors
- Plaid — bank account & transaction data. SOC 2 Type II. End-user policy.
- Stripe — payments and tax. PCI-DSS Level 1.
- Supabase (Lovable Cloud) — database, storage, and auth. SOC 2 Type II.
- Lovable AI Gateway — routes NuBu prompts to Google Gemini / OpenAI. Prompts are not used to train public models.
Your rights & controls
- Disconnect a bank at any time from Bank Accounts. Removing an account also revokes Plaid's access token for that institution.
- Delete your entire Numerus account from Settings → Danger zone. This revokes all Plaid access, then deletes your profile, connections, transactions, journal entries, documents, and reports.
- Request an export by emailing support@numerusllc.net.
What we can't promise
No online service can guarantee zero risk. Enabling two-factor authentication, keeping your email account secure, and using a unique password for Numerus meaningfully reduce the risk of account takeover. Report any suspected security issue to support@numerusllc.net.
