AUTOPNLSecurity

Security

Last updated: May 14, 2026

AutoPNL was built read-only from day one. We can read your Stripe transactions. We can never move your money, issue refunds, or change anything in your Stripe account.
๐Ÿ”’

Read-only Stripe

Only Balance: Read + Balance transactions: Read scopes. We can't move money.

๐Ÿ›ก

AES-256-GCM

Your Stripe key is encrypted at rest. Encryption secret stored separately, never in DB.

๐Ÿ‡ช๐Ÿ‡บ

EU hosting

Dedicated server + PostgreSQL, both in the EU. No third-party data brokers.

01

Stripe access

We only accept restricted API keys (rk_live_...). Standard secret keys are rejected.

The only Stripe scopes we require:

  • Balance โ€” Read
  • Balance transactions โ€” Read

AutoPNL cannot: create charges, issue refunds, modify customers, access card data, view email addresses, or change anything in your Stripe account.

You can revoke our access in 1 click at dashboard.stripe.com/apikeys. Once revoked, our next sync fails and we email you within 24h.

02

Key storage

Your restricted Stripe key is encrypted at rest with AES-256-GCM before it touches the database.

The encryption secret (STRIPE_KEY_ENCRYPTION_SECRET) is stored as an environment variable, never in the database itself. Compromising the database alone does not expose any keys.

The key is decrypted only at sync time, used in-memory to call Stripe, and discarded. It is never logged, never sent to AI, never persisted in plaintext.

03

What we send to AI

AutoPNL uses Claude (Anthropic) to categorize transactions. For each transaction we send only three fields:

  • description โ€” the merchant name as it appears in Stripe
  • amount โ€” the transaction amount in cents
  • date โ€” the transaction date

We do not send: card numbers, customer emails, payment method IDs, IP addresses, account IDs, your Stripe key, or any PII about your customers.

Anthropic's data handling policies: anthropic.com/legal/privacy. They do not train on API inputs.

04

Authentication

Passwords are stored as bcrypt hashes with a per-password salt. We never store or log plaintext passwords.

Sessions are JWT tokens, signed with a server secret and rotated on sign-in. Email verification is required before login.

Public endpoints (signup, waitlist) are rate-limited by IP via a database-backed limiter โ€” default 5 requests / 15 minutes.

05

Infrastructure & transport

  • Hosting: dedicated EU server. No multi-tenant cloud database.
  • Database: self-hosted PostgreSQL in the EU.
  • Transport: HTTPS only. HTTP requests redirect to HTTPS.
  • HSTS enforced with a 2-year max-age and includeSubDomains.
  • Headers: X-Frame-Options DENY, X-Content-Type-Options nosniff, strict referrer policy, permissions policy locking down camera/mic/geolocation.
  • TLS: modern cipher suites only (managed by Let's Encrypt + Nginx).
06

Account control

You retain full control of your data at all times:

  • Disconnect Stripe at any time from Settings โ€” your past data stays, but no further sync.
  • Delete all data wipes connection + every transaction in one click.
  • Delete account from Settings โ†’ Danger Zone. Cancels any active subscription via Polar, then permanently wipes your account, transactions, reports, sessions, and Stripe connections in a single transaction.

Export your data anytime: CSV from any monthly report, or email support@autopnl.com for a full account export.

07

Monitoring & error handling

We use Sentry for error tracking. The error handler scrubs Stripe keys and secrets from every event before transmission (beforeSend hook).

Stripe authentication failures (revoked or rotated keys) are detected on the daily sync, written to the connection record, and surfaced as a red banner in your dashboard plus an email to you within 24 hours.

Reporting a vulnerability

Found a security issue? Please report it responsibly:

support@autopnl.com

We respond within 24 hours. Please do not disclose publicly until we've had a chance to fix.

See also: Privacy Policy ยท Terms of Service ยท How to create a read-only Stripe key