NetFiscus - Track Your Wealth

Security

Your financial data is sensitive. We’ve built security into every layer of NetFiscus - from how we store your password to how we protect your sessions.

Authentication

We support passkeys - the modern, phishing-resistant way to sign in. Use Face ID, Touch ID, Windows Hello, or a hardware security key.

Why passkeys are more secure:

  • Phishing-resistant - Can’t be tricked into sending credentials to fake sites
  • Device-bound - Private keys never leave your device
  • Convenient - No password to remember or type

Password Authentication

If you use a password:

  • Passwords are securely hashed using industry-standard algorithms
  • We never store your password in readable form
  • Changing your password immediately invalidates all other active sessions

Email Verification

New accounts must verify their email address before logging in. This confirms you control the email and prevents account hijacking.

Session Security

Your login session is protected by multiple layers:

  • HTTP-only cookies - Session tokens can’t be stolen by malicious JavaScript
  • Secure flag - Cookies only sent over HTTPS
  • SameSite protection - Prevents cross-site request forgery (CSRF) attacks
  • Automatic expiration - Sessions expire after a period of inactivity
  • Encrypted storage - Sessions stored with encryption at rest

Password Reset & Verification Links

Password reset and email verification links use secure, one-time tokens:

  • Random tokens - Generated using cryptographically secure random bytes
  • Hashed storage - Tokens stored as hashes - if our database were compromised, attackers couldn’t use the tokens directly
  • Time-limited - Tokens expire automatically
  • Single-use - Tokens are deleted after successful use

Payment Security

We use Stripe for all payment processing:

  • No card data stored - Credit card numbers never touch our servers
  • Webhook verification - All payment events verified via cryptographic signature
  • PCI compliant - Stripe handles all payment card security requirements

API Security

  • Authentication required - All data endpoints require login
  • Rate limiting - Public endpoints are rate-limited to prevent abuse
  • CORS protection - API only accepts requests from authorized origins
  • Input validation - All user input validated and sanitized

Data Isolation

Your data is yours alone:

  • User-scoped queries - Every database query is automatically scoped to your account
  • No cross-user access - Impossible to access another user’s data, even with valid authentication

Infrastructure

  • HTTPS everywhere - All connections encrypted in transit
  • Managed database - PostgreSQL with automated backups
  • Encrypted storage - Data encrypted at rest

Account Deletion

You can delete your account at any time:

  • Two-step confirmation - Deletion requires email confirmation
  • Complete removal - All your data is permanently deleted
  • Grace period - Time to cancel before deletion is processed

What We Don’t Do

  • We don’t sell your data
  • We don’t share your data with third parties (except Stripe for payments)
  • We don’t use tracking cookies or third-party analytics
  • We don’t store passwords or sensitive tokens in readable form

Reporting Security Issues

Found a vulnerability? Contact us through our Contact page. We take all security reports seriously and will respond promptly.