Security

How we protect your financial data, in plain English. Read our Privacy Policy for the full legal-grade version.

Encryption

• In transit: every connection between your device, Cilantro's backend, and our vendors uses TLS 1.2+ (the Cloud Run default issues TLS 1.3 where supported).
• At rest — bank access tokens: Plaid access tokens are encrypted with AES-256-GCM using a server-held key before being written to the database. The plaintext token never appears on disk.
• At rest — database: our Postgres database (Cloud SQL) is encrypted at rest with Google-managed keys.
• Passwords: stored only as bcrypt hashes (salted, work factor 10). We never see your plaintext password.

Authentication

• Email + password sign-in with bcrypt.
• Sign in with Apple supported in the iOS app.
• Optional Face ID / passcode gate before opening the app.
• Face ID confirmation required before initiating a new bank connection.
• Backend session JWTs expire after 30 days.

Bank connectivity (Plaid)

• Bank connections are powered by Plaid, a SOC 2 Type II–audited financial-data infrastructure provider used by tens of thousands of fintech apps.
• Cilantro never sees your bank credentials. Plaid's hosted Link flow handles the credentials exchange directly with your institution.
• Cilantro receives only an opaque access token that is encrypted before storage.
• We use Plaid's read-only data endpoints. Cilantro cannot move money or initiate transfers.

AI features (Anthropic)

• The Ask tab and Weekly digest features use Anthropic's Claude models. Only the data needed to answer the question (your accounts, recent transactions, detected subscriptions) is sent in the request.
• Anthropic does not train its models on data submitted via the API. See Anthropic's Privacy Policy.

Hosting and access control

• Cilantro's backend runs on Google Cloud Run; the database is Google Cloud SQL Postgres. Both in the United States.
• Production secrets (encryption keys, API keys, database password) live in Google Secret Manager and are mounted into the running service at boot — they are never checked into source control.
• Production access is limited to authorized engineering staff and is logged via Google Cloud audit logging.
• The Cilantro server is a managed serverless instance; we don't run our own SSH-able machines.

What we don't do

• We do not sell your data. Ever.
• We do not share your data with advertisers or data brokers.
• We do not use your transaction data to build advertising audiences.
• We do not set tracking cookies or run analytics pixels on this website.
• We cannot move money on your behalf.

Incident response

If we discover a security incident affecting your data, we will notify affected users by email within 72 hours of confirming the incident, with a description of what happened, what data was involved, and what you should do (if anything). We log production access continuously to speed up forensic review.

Reporting a vulnerability

Found something concerning? Email security@highloop.co (or support@highloop.co if the former bounces). We respond to all good-faith reports within 5 business days. Please don't publish the details until we've had a chance to fix them.