Compound holds sensitive financial data, so we take security seriously and design for the assumption that something will eventually go wrong somewhere and the rest of the system needs to hold.
Storage
- Data is stored in Cloudflare D1 (encrypted in transit and at rest, U.S. region, ISO 27001 + SOC 2 Type II).
- Authentication is handled by Supabase Auth — separate from your financial data, so an authentication-side compromise alone doesn't expose financial records.
- Sensitive values (Plaid access tokens, coach-private notes, the last-four account mask) are encrypted at the application layer with AES-256-GCM before they touch the database.
Authentication
- No passwords — sign-in is via magic link or 6-digit code sent to your email.
- Two-factor authentication (TOTP) available to every user.
- Step-up re-verification required for destructive actions (account deletion, regenerating recovery codes, signing out all devices).
- Active sessions are visible to you and individually revokable.
- Two-hour idle timeout on the portal — leaving a laptop open eventually requires re-signing in.
Access
- Every database query is scoped to your authenticated user id, server-side. One user's data can't be accessed through another user's session.
- Coach access is opt-in, read-only, transparently logged, and revokable from your settings.
- Administrator access is limited to one identity, scoped, and logged. Coach-private session notes are inaccessible even to the platform administrator.
Bank Connections
- Bank credentials never touch our servers — they go directly to Plaid.
- We receive an access token, encrypted before storage, that can only retrieve balances and transactions — not move money or change anything at your bank.
- Disconnecting from Settings → Accounts revokes the token within seconds.
Operations
- Webhook signatures from Plaid and Stripe are verified before any data is processed.
- Anomaly detection runs continuously — unusual sign-in patterns or read volumes alert the admin.
- Daily automated database integrity checks. Append-only audit log of every administrative or coach access.
- Account deletion is fully automated after a 7-day grace period; no manual support ticket required to ensure timely erasure.
For the deeper detail, see our Privacy Policy and Terms.