Last updated: March 12, 2026
VineWealth is designed to protect consumer financial data, account credentials, and household information using layered administrative, technical, and platform controls. We use managed cloud infrastructure, centralized authentication, row-level access controls, and monitored server-side integrations to reduce risk.
We require TLS for data in transit between clients, APIs, and managed service providers. Data stored in our managed database environment is protected using platform-level encryption at rest. At this time, VineWealth does not apply separate field-level encryption to every Plaid-derived consumer data field before storage.
End-user authentication is handled through Supabase Auth. Access to application data is constrained by application checks, database row-level security, and server-side boundaries. Sensitive server-side credentials and Plaid access tokens are not exposed to client applications.
We follow least-privilege and need-to-know principles for both human and non-human access. Access is reviewed periodically and revoked when no longer necessary.
VineWealth supports stronger authentication controls including mobile code-based MFA and passkey/WebAuthn-based factors where available. Phishing-resistant MFA is our target standard for privileged and workforce access.
When you connect financial accounts through Plaid, VineWealth receives account and transaction data needed to provide the service. We do not receive your bank login credentials. Plaid access tokens are stored server-side and are restricted to privileged server operations only.
Production webhook processing includes authentication checks before changes are processed, and sandbox-only endpoints are disabled in production environments.
We review production-impacting changes, monitor operational failures and security issues, and prioritize remediation of vulnerabilities affecting public-facing endpoints, authentication, authorization, or sensitive data exposure.
We retain customer and operational data only as long as needed to provide the service, support users, maintain security, and meet legal or contractual obligations. When data is no longer needed, we remove it from active systems and rely on managed provider lifecycle controls for backups and snapshots where applicable.
For security questions, vulnerability reports, or policy inquiries, contact us at benjaminandrewask@gmail.com.