Security isn't a feature.
It's the foundation.

Abundera does not use passwords. Authentication is exclusively through WebAuthn/FIDO2 passkeys—the same cryptographic standard used by Apple, Google, and Microsoft for their highest-security accounts.

Passkeys are phishing-resistant by design. There is no password to steal, no OTP to intercept, no secret question to guess. Your private key never leaves your device. The server only stores a public key that is useless without your biometric or device PIN.

The obvious question: what happens if you lose your device? A passkey-only system is only as secure as its recovery path. A weak recovery flow would undo everything passkeys provide. That's why we built a multi-factor recovery system with independent verification layers and a mandatory cooling-off period—detailed in the next section.

Multi-factor account recovery with a mandatory 48-hour cooling-off period. Three independent verification factors from different sources, plus instant multi-channel alerts so you can cancel any unauthorized attempt.

How recovery works:

1. Enter your TOTP code from your authenticator app to prove you have the secret
2. Enter a backup code (single-use, generated at enrollment) to prove you saved them
3. Enter a 6-digit code sent to your email to prove you control the account's email address
4. Wait through a 48-hour cooling-off period before credentials are wiped—all verified channels notified instantly
5. Register a new passkey on your current device

The 48-hour cooling-off period is your last defense. If someone steals your TOTP secret and a backup code, and intercepts your email—you still have time. You receive immediate notifications on every verified channel that recovery was initiated. During the cooling-off window, you can sign in to cancel it.

If you turn off account recovery in Settings and lose your passkey, your account is permanently inaccessible—even to us. We cannot override this. For users who want maximum security, no recovery path means no recovery attack surface.

Abundera does not call OpenAI, Google, Anthropic, or any third-party AI API with your information. Your financial records, emails, calendar, and health data are never sent to external AI services.

This is not a wrapper around someone else's model. Our AI runs on infrastructure we control — your data is never used to train models for other customers, never logged by a third-party provider, and never accessible outside your session.

Your data is encrypted at rest with AES-GCM and in transit with TLS 1.3. Sensitive fields—bank transactions, health records, TOTP secrets—are encrypted at the application layer before storage. Financial connections through Plaid are strictly read-only—Abundera cannot move money, make purchases, or modify your accounts.

Processing happens at the edge on Cloudflare's global network, which means your information is handled close to where you are, not in a single data center halfway around the world. Encryption keys are managed through a split-key architecture with cross-provider envelope encryption via AWS KMS. Local keys derived from HKDF are combined with KMS-managed data encryption keys—ensuring no single provider holds the complete key material.

Abundera operates on a progressive trust ladder. You start at Level 1 (Observer), where the system can only watch and report. You decide if and when to unlock deeper analysis. Every permission is individually revocable at any time.

If anything goes wrong—or you simply change your mind—reply STOP to any Abundera SMS alert to pause all alerts instantly. Full data export and permanent deletion are available on request, no questions asked.

Some commitments are best stated as absolutes.

• Never sell or share your data. Not to advertisers. Not to data brokers. Not to anyone. Ever.
• Never train models on your data for other users. Your information improves your experience only.
• Never share data with third parties for advertising. No ad networks. No tracking pixels. No behavioral profiling.
• Never store passwords. We don't have them. Passkey-only means there is no password database to breach.
• Never access accounts without explicit permission. Every integration requires your direct authorization.
• Never send your data to public AI services. No OpenAI, no Google, no Anthropic API calls with your information.

Abundera enforces a strict Content Security Policy with zero inline code. Every script and stylesheet is served from an external file with cryptographic hash verification. This eliminates entire categories of XSS attacks—even if an attacker somehow injected malicious HTML, the browser would refuse to execute any code not explicitly whitelisted in our policy.

We enforce 10 security headers on every response, including a strict Content Security Policy that locks down script, style, frame, and connection sources. Most financial applications use three or four.

Every deployment is gated by an automated security audit that runschecks across 127 categories before any code reaches production. If a single critical check fails, the deployment is blocked automatically. The audit script runs in the deploy pipeline and failures halt the process before any code is published.

This is not a monthly scan or a quarterly review. It runs on every single deployment—verifying data isolation, secret leakage prevention, authentication enforcement, header integrity, injection defenses, encryption standards, input validation, audit log coverage, sensitive data exposure, open redirect protection, error disclosure, structural integrity, messaging consistency, and logging hygiene across every API endpoint and page.

Alongside the static audit, we maintain a continuous penetration testing program with 908 live attack simulations across 44 categories. Unlike generic third-party scanners that probe blindly, our pentest tool has deep knowledge of the actual attack surface—the exact JWT implementation, WebAuthn registration flow, billing middleware gates, shard isolation boundaries, and internal header stripping logic. It tests what matters: JWT algorithm confusion attacks, IDOR across tenant boundaries, SSRF bypass attempts against our specific validation logic, race conditions on concurrent writes, and HTTP parameter pollution—tests that no off-the-shelf scanner would know to run.

Beyond functional testing, we run Stryker mutation testing across 27 source files—systematically injecting faults into production code to verify that our 6,370 unit tests actually catch real bugs, not just achieve coverage. Current mutation score: 96.15% (4,151 of 4,338 mutants killed). Our CI/CD pipeline runs 16 automated jobs on every commit, including SAST (Semgrep), secret detection (Gitleaks), SBOM generation, CodeQL analysis, supply chain scoring (OpenSSF Scorecard), E2E tests (Playwright), accessibility scans, API contract tests, and SLSA build provenance with cryptographic attestation.

The platform runs on enterprise-grade infrastructure with security enforced at every layer—from DNS to database.

• HTTPS everywhere with HSTS preloading and TLS 1.3
• Cloudflare Pages + Workers for edge-first, serverless processing in 300+ cities
• Encrypted database on Cloudflare's global edge network
• Immutable asset caching with content-hashed URLs and 1-year cache lifetime
• DDoS protection always-on Layer 3/4/7 mitigation through Cloudflare's global anycast network (300+ cities)
• API Shield with OpenAPI schema validation enforced at the edge—invalid methods and paths are blocked before reaching application code
• Encrypted source control with git-crypt for secrets, credentials, and configuration
• SOC 2 Type I certification on the compliance roadmap (Type II to follow)

Abundera runs entirely on Cloudflare's certified infrastructure. Cloudflare holds the certifications below for their physical security, network security, and data center operations. Abundera inherits these controls as a platform customer—we do not hold these certifications independently.

Cloudflare infrastructure certifications (inherited):

Abundera's own compliance — 10 regulatory frameworks:

See detailed assessments for each framework on our compliance page, including the MVSP assessment, GDPR alignment, GLBA compliance, and SOC 2 roadmap.

We keep the list of third-party services that process user data minimal: Cloudflare (infrastructure), Plaid (read-only financial data), Stripe (subscription billing), Zoho Zeptomail (transactional email, primary), Resend (transactional email, fallback), Twilio (SMS notifications), AWS KMS (envelope encryption key management), and Lob (physical mail delivery for Abundera Letters). All hold SOC 2 Type II certification.

No user data is shared with advertising networks, analytics vendors, or AI model providers.

View full sub-processor list →

Every decision above was a deliberate trade-off. We consistently chose the more expensive, more complex, and more secure path—not because it was easy, but because the alternative was unacceptable for a platform that handles your financial life.

Most companies add security after growth. We built it before launch—because retrofitting trust is impossible.

The server never trusts the client. Every input is validated server-side regardless of what the frontend checks. Frontend validation exists for user experience—server-side validation exists for security. They are independent, and the server's verdict is final.

This is a zero-trust data pipeline. User identity comes from the cryptographically verified JWT, never from the request body. You cannot access or modify another user's data regardless of what you send—the server resolves your identity from the signed token and scopes every query accordingly.

Abundera is an early-stage company with a small team. We are transparent about this because we believe it is relevant to your security assessment.

What this means in practice: A small team means a minimal attack surface for insider threats and credential sprawl today, but it also means key person risk and limited separation of duties. We mitigate this through architecture decisions: the platform is designed to operate without human intervention, and every operational procedure is documented so that additional engineers can onboard without proprietary knowledge transfer.

Do you have SOC 2 certification?

Not yet—but we are SOC 2 Aligned, meaning all required controls, policies, and documentation are implemented. Our infrastructure provider (Cloudflare) holds SOC 2 Type II independently. An external audit to obtain our own SOC 2 Type I report is the next milestone—see our compliance roadmap. In the meantime, we maintain a 24/25 MVSP self-assessment, a formal Management Assertion (bridge letter) covering control design and operating effectiveness with a SOC 2 TSC control-to-evidence index, and an enterprise evidence pack—all available on request for procurement teams evaluating pre-attestation vendors.

Have you had an external penetration test?

We run a continuous internal penetration testing program with 908 live attack simulations across 44 categories (JWT attacks, IDOR, injection, SSRF, race conditions, business logic abuse, and more), built by the same team that built the platform. This gives us deeper coverage than generic scanners because the tests target the actual implementation—custom JWT signing, WebAuthn flows, billing gates, shard isolation. We also runstatic security checks on every deployment, 6,118 unit and integration tests, and weekly OWASP ZAP DAST scans. An external human-led penetration test is the next planned milestone on our SOC 2 roadmap. Full program documentation is available upon request.

Where is my data stored?

All data is stored on Cloudflare's global edge network, encrypted at rest by Cloudflare and encrypted at the application layer with AES-GCM for sensitive records (financial data, health data, authentication secrets). See our data handling overview for details.

Do you use passwords?

No. Abundera uses WebAuthn/FIDO2 passkeys exclusively. There are no passwords in the system—nothing to phish, nothing to breach, nothing stored in a hash that could be cracked offline.

Can I request my data or delete my account?

Yes. You can export all of your data or permanently delete your account at any time from Settings. Deletion is irreversible and removes all records, encryption keys, and financial connections. See our privacy policy for retention details.

Can I conduct security testing against Abundera?

Yes, with prior written authorization. See our vulnerability disclosure policy below for scope and guidelines. Enterprise customers may arrange dedicated penetration testing through their account contact.

How do I report a security issue?

Email security@abundera.ai. We acknowledge reports within 48 hours and aim to resolve confirmed vulnerabilities within 90 days (critical issues much sooner).

If you discover a security vulnerability in Abundera, we want to hear about it. We take every report seriously and commit to working with you to understand and resolve the issue promptly.

Scope:

• abundera.ai (all pages and subdomains)
• All API endpoints under /auth/*, /api/*, /plaid/*

Guidelines:

• Do not perform denial-of-service (DoS) attacks
• Do not access, modify, or delete other users' data
• Do not use social engineering against Abundera staff or users
• Do not publicly disclose the vulnerability before we have addressed it
• Provide enough detail for us to reproduce and verify the issue

Response SLAs:

Our commitment:

• Acknowledgment within 48 hours — We will confirm receipt of your report
• Severity-based response — Critical issues triaged within 24 hours, fixes within 7 days
• No legal action — We will not pursue legal action against researchers who follow these guidelines
• Credit & recognition — Confirmed findings are credited in our Hall of Fame (with your permission)

Safe harbor: Security research conducted in accordance with this policy is considered authorized. We will not pursue civil or criminal action against researchers who act in good faith and comply with the guidelines above. This safe harbor is based on the disclose.io simple safe harbor terms.