Data Encryption
At rest: All workspace data — transactions, budgets, client records, team information — is encrypted using AES-256. Encryption applies to every field in every database record.
In transit: All communication between your browser and Money OS uses TLS 1.3. HTTP connections are automatically redirected to HTTPS. HSTS is enforced.
Encryption keys: Managed by a hardware security module (HSM). Keys are never stored alongside the data they encrypt. Key rotation occurs annually.
Authentication
Password Requirements
- Minimum 12 characters
- No maximum length
- Common passwords rejected (checked against HaveIBeenPwned database at registration)
- Passwords are hashed using Argon2id — they are never stored in plaintext
Two-Factor Authentication (2FA)
2FA adds a second verification step at login. Strongly recommended for all Admins.
Supported 2FA methods:
- TOTP authenticator apps — Google Authenticator, Authy, 1Password, Bitwarden
- Email OTP — One-time code delivered to your account email
To enable 2FA:
- Go to Settings → Security → Two-Factor Authentication
- Select your preferred method
- Scan the QR code with your authenticator app (TOTP) or verify via email
- Save your backup codes in a secure location
Backup codes are shown once at setup. Store them in a password manager or secure document. Losing access to your 2FA method and backup codes will require identity verification to recover your account.
Enforcing 2FA for your team: Admins can enforce 2FA for all workspace members in Settings → Security → Team 2FA Policy. Members who haven’t enabled 2FA are locked out until they do.
Access Controls
Role-Based Access
Money OS uses role-based access control (RBAC). Every API request is verified against the requesting user’s role before data is returned or modified. See Team Members for the full permissions matrix.
Session Management
- Sessions expire after 14 days of inactivity
- All active sessions are visible in Settings → Security → Active Sessions
- You can revoke any session remotely (useful if a device is lost or stolen)
Infrastructure Security
Money OS is hosted on Vercel (application layer) and MongoDB Atlas (database layer).
| Layer | Provider | Security Certifications |
|---|---|---|
| Application | Vercel | SOC 2 Type II |
| Database | MongoDB Atlas on AWS | SOC 2 Type II, ISO 27001 |
| DNS | Cloudflare | DDoS protection, WAF |
No customer data is stored on Vercel. Vercel serves the application code. All data lives in MongoDB Atlas.
Responsible Disclosure
If you discover a security vulnerability, report it to security@moneyos.webasthetic.in.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
We respond within 48 hours and aim to resolve critical issues within 7 days.
Do not publicly disclose vulnerabilities before we’ve had a chance to patch them.