How we use encryption

How we use encryption

Last verified 2026-05-08 by technical-writer-agent.

How we use encryption

MoneyVue protects your data with encryption in transit and encryption at rest. Here's where each applies.

In transit

Every connection between your browser (or mobile app) and MoneyVue uses TLS 1.2 or 1.3 — the same standard banks use. The HTTPS endpoint is moneyvue.app. We do not accept HTTP for application traffic.

Inside our cloud:

  • Database connections use TLS.
  • Internal service-to-service calls run over private networks.
  • Outbound calls to providers (SimpleFIN, AI providers, Stripe) all use HTTPS.

At rest

Sensitive fields are encrypted before they hit disk:

  • SimpleFIN access URLs — AES-256-GCM with per-row IV and auth tag.
  • AI provider API keys — AES-256-GCM with per-row IV and auth tag.
  • Database backups — encrypted by AWS with managed keys.
  • Disk volumes — encrypted by AWS at the volume level.

Less sensitive data (transaction amounts, categories, etc.) is stored in Postgres on encrypted volumes but not field-level encrypted, so the database can index and query it efficiently.

Encryption keys

Keys for field-level encryption (SimpleFIN URLs, AI keys) are kept in environment configuration on the production server, never checked into source. They are rotated on a regular schedule. Backups of keys are stored separately from data backups.

Passwords

Your password is never stored — only a strong hash with a per-user salt. A leak of the database does not leak passwords directly; cracking each hash takes serious compute.

Passkeys

Passkeys (WebAuthn) use public-key cryptography. Your device generates a key pair when you register; only the public key is sent to MoneyVue. The private key never leaves your device.

What encryption doesn't fix

Encryption protects data from being read if a database or backup is leaked. It does not protect against:

  • A compromised account password (use a long passphrase, add a passkey).
  • A compromised endpoint (don't sign in on shared computers).
  • Phishing (we never email asking for your password).

FAQ

Is my data end-to-end encrypted? No. End-to-end encryption would mean MoneyVue couldn't categorize, search, or compute on your data — that's incompatible with how the app works. Data is encrypted in transit and at rest, with field-level encryption for the most sensitive bits.

Can I supply my own encryption key? Customer-managed keys are not currently offered.

What about quantum-resistance? TLS and hash algorithms in use today (AES-256, SHA-256) are not broken by current quantum computers. Migration plans for post-quantum primitives will follow industry standards.

Was this helpful?

Your answer is anonymous. We use it to improve these articles.