Legal

Security & Encryption

Last reviewed: July 4, 2026 · Numerus LLC · San Juan, Puerto Rico

Numerus handles financial data that belongs to you. This page describes the concrete controls in place today. It is not a certification statement — for formal attestation reports from our infrastructure partners, contact us.

Encryption in transit

  • All traffic between your browser and Numerus uses TLS 1.2 or higher.
  • Traffic between Numerus and our database, Plaid, Stripe, and email providers uses TLS 1.2+ enforced by each provider.
  • HSTS is enabled on our production domain.

Encryption at rest

  • Postgres database volumes and backups are AES-256 encrypted at rest by our hosting provider.
  • Uploaded documents (bank statements, receipts) live in encrypted object storage, gated per-user by signed URLs.
  • Plaid access tokens and third-party API keys are stored as server-only secrets — they never reach the browser.

Access control

  • Every table with user data uses Row-Level Security policies scoped to your account. Even a bug in one query can't return another user's rows.
  • Privileged operations (billing webhooks, account deletion) run on the server and verify the caller before touching data.
  • Two-factor authentication (TOTP) is available in Settings → Security. We strongly recommend enabling it.

What we never store

  • Your online-banking username or password. Plaid handles the credential exchange; we only receive a read-only access token.
  • Full credit-card numbers. Stripe (PCI-DSS Level 1) handles all card data; we receive only a token and the last 4 digits.
  • Government IDs, SSNs, or documents you did not upload.

Third-party processors

  • Plaid — bank account & transaction data. SOC 2 Type II. End-user policy.
  • Stripe — payments and tax. PCI-DSS Level 1.
  • Supabase (Lovable Cloud) — database, storage, and auth. SOC 2 Type II.
  • Lovable AI Gateway — routes NuBu prompts to Google Gemini / OpenAI. Prompts are not used to train public models.

Your rights & controls

  • Disconnect a bank at any time from Bank Accounts. Removing an account also revokes Plaid's access token for that institution.
  • Delete your entire Numerus account from Settings → Danger zone. This revokes all Plaid access, then deletes your profile, connections, transactions, journal entries, documents, and reports.
  • Request an export by emailing support@numerusllc.net.

What we can't promise

No online service can guarantee zero risk. Enabling two-factor authentication, keeping your email account secure, and using a unique password for Numerus meaningfully reduce the risk of account takeover. Report any suspected security issue to support@numerusllc.net.