Security
Built for financial data from the ground up
CreditGlance handles sensitive financial information. Every architectural decision is made with that responsibility in mind.
Data is never stored in plain text
Raw bank transactions are processed in memory and immediately discarded. The platform stores only summarised, anonymised metrics - not individual transactions, account numbers, or balances.
Report contents are encrypted
Report payloads are encrypted using XChaCha20-Poly1305 with X25519 key exchange. Only the intended recipient - with the correct key - can read the content. We cannot read it. Encrypted data at rest uses AES-256-GCM.
No PDFs, no static exports
Reports exist only as time-limited web links. There is no downloadable file to leak, forward, or screenshot without accountability. Access is tracked and logged.
Token-based sharing with expiry
Every share link is backed by a unique cryptographic token. Links expire automatically and can be revoked instantly. Once revoked, the link is inaccessible - even if the URL was saved.
Immutable audit log
Every meaningful action - report generation, link sharing, access events, revocations - is written to an append-only audit log. Entries cannot be modified or deleted.
Regulated open banking
Bank connections are made through PSD2-regulated open banking APIs (TrueLayer, GoCardless/Nordigen). We use short-lived access tokens encrypted at field level. We never hold your banking credentials.
Transport security
All traffic is served over HTTPS with HSTS. Platform infrastructure runs on Vercel with DDoS protection and edge caching for static assets.
Secure sessions
Sessions are stored server-side and expire automatically. Passwordless magic-link authentication via one-time tokens with a 15-minute validity window. No passwords to steal.