Skip to main content
Skip to content
Make It Compound

Security & Trust

Your clients' data, treated like our own.

Compound handles real bank data for coaches and the families they work with. Here's exactly how we protect it — in plain language, so you can put it in front of a client or a compliance reviewer.

Field-level encryption

Bank access tokens, Plaid item identifiers, account masks, and coach-private session notes are encrypted with AES-256-GCM at the application layer before they are ever written to storage — on top of encryption in transit (TLS) and at rest. Decrypted values are never logged or returned raw to the browser.

Per-user data isolation

Every query that touches financial data is scoped to a single user id taken from the server-verified session — never from a URL or request body. A request that tries to read another user's records returns a 404 and is recorded as an anomaly.

Magic-link authentication

No passwords to phish or reuse. Sign-in is by magic link, with refresh-token rotation, sliding idle timeouts, and a hard session lifetime cap. Optional TOTP-based MFA is supported.

Read-only coach access

A connected coach can read a client's financial data but can never move money or edit it. Access is opt-in, granted by the client, and revocable by the client in one click. Coaching tools like notes and goal proposals are additive and never overwrite client data.

Audit logging & a client-visible access log

Sensitive events — sign-in, financial-data access, bank connect/disconnect, settings changes, account deletion — are written to an append-only audit log. Separately, every time a coach views a client's data it is recorded in a transparency log the client can read themselves.

Least-data by design

We request only the Plaid products a feature actually needs and store only the fields we use — no hoarding of raw bank responses. Card numbers are handled entirely by Stripe and never touch our servers.

Built on certified infrastructure

We don't run our own data centres. Compound is built on a small set of providers whose security programs are independently audited. Their current certifications are summarised below; the full, up-to-date list of every provider that touches data is on our sub-processors page.

ProviderRoleCertifications
CloudflareHosting, edge network, and primary encrypted storageSOC 2 Type II, ISO 27001, PCI DSS
SupabaseAuthentication & identitySOC 2 Type II
PlaidBank connectivity & transaction dataSOC 2 Type II, ISO 27001
StripeSubscription billing & paymentsPCI DSS Level 1, SOC 2

Certification names refer to each provider's own audited programs. Make It Compound inherits these controls but does not itself claim them unless stated.

Data retention & deletion

  • Clients own their data. They can export it any time and delete their account self-serve, which permanently erases their records after a short grace period.
  • When a bank is disconnected or a subscription is cancelled, the associated Plaid access tokens are revoked.
  • Audit logs are retained for 90 days; financial transaction history is kept on a defined hot-window and archival schedule. See the Privacy Policy for specifics.
  • A coach can read a client's data only while an active connection exists. The moment a client disconnects, coach access ends.

For coaches & business customers

When you connect clients to your dashboard, you act as the controller of their personal data and Make It Compound acts as your processor. We offer a Data Processing Agreement that sets out each party's obligations, our security measures, sub-processor list, and breach-notification commitments.

Read the Data Processing Agreement →Request a signed copy

Responsible disclosure

Found a vulnerability? We want to hear about it. Email security@makeitcompound.com with details and steps to reproduce. We'll acknowledge your report, keep you updated, and won't pursue action against good-faith research that respects our users' privacy and data.

Last updated: June 3, 2026