Enterprise-Grade Security for Your Financial Data
We treat your payment data with the same security standards as banks and financial institutions. Here's how we protect you.
Encryption in Transit
All data transmitted between your browser and our servers uses TLS 1.3 encryption with perfect forward secrecy. Your CSV files are encrypted before they ever leave your computer.
Encryption at Rest
Uploaded files are encrypted using AES-256 encryption in Firebase Storage. Encryption keys are managed separately and rotated regularly.
Secure Authentication
User authentication is handled by Firebase Auth with industry-standard password hashing (bcrypt). We support 2FA and will never store passwords in plain text.
In-Memory Processing
CSV files are processed in-memory whenever possible. We minimize disk writes and ensure temporary processing data is securely wiped.
Automatic Data Deletion
Uploaded files are automatically deleted after 30 days. You can manually delete files anytime from your Exports page.
Access Controls
Your files are accessible only to you. Our engineers cannot view your data without explicit permission and audit logging.
Secure Infrastructure
Hosted on Google Cloud Platform (Firebase) with 99.95% uptime SLA, automatic security patches, and DDoS protection.
Continuous Monitoring
We use Sentry for error tracking and security monitoring. Anomalous access patterns trigger immediate alerts.
Compliance & Certifications
SOC 2 Type II Compliance
We are actively working toward SOC 2 Type II certification, which validates our security controls around:
- Security (access controls, encryption, monitoring)
- Availability (uptime, disaster recovery)
- Processing integrity (data accuracy and completeness)
- Confidentiality (data protection and privacy)
Note: Our infrastructure providers (Google Cloud/Firebase, Stripe) are SOC 2 Type II certified.
GDPR Compliance
We comply with the General Data Protection Regulation (GDPR) for European users:
- Right to access your data
- Right to deletion (account deletion available anytime)
- Right to portability (export your data)
- Data processing agreements available upon request
- Data stored in US with standard contractual clauses
PCI DSS Compliance
We do not store credit card data. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor (the highest level of certification).
How We Handle Your Data
What We Store
- Account information: Email, name, encrypted password
- Uploaded CSV files: Stored encrypted for 30 days
- Generated output files: Stored encrypted for 30 days
- Transaction metadata: Upload timestamps, file sizes, export counts
- Subscription/credit data: Purchase history, current balance
What We Don't Store
- Credit card numbers (handled by Stripe)
- Social Security Numbers or Tax IDs
- Bank account credentials
- QuickBooks login information
Processing Locations
Your data is processed in:
- United States (primary): Firebase Storage (us-central1)
- In-memory processing: Cloud Functions (us-central1)
Data is not transferred outside of Google Cloud Platform's secure infrastructure.
Data Retention Policy
- CSV files: 30 days after upload, then permanently deleted
- Account data: Retained until account deletion
- Transaction history: 7 years (required for accounting/tax compliance)
- Deleted account data: Purged within 30 days of deletion request
Third-Party Access
We do not sell or share your data with third parties, except:
- Service providers: Firebase (hosting), Stripe (payments), SendGrid (transactional emails)
- Legal requirements: If required by law or court order
- Business transfer: In the event of a merger or acquisition (you will be notified)
Security Incident Response
If We Detect a Breach
In the unlikely event of a security incident involving your data, we will:
- Notify you within 72 hours via email
- Describe what data was affected
- Explain what we're doing to contain and remediate
- Provide recommended actions for you to take
- Report to relevant authorities if required by law
If You Suspect a Breach
If you notice suspicious activity on your account:
- Immediately change your password from Settings
- Delete any sensitive files from the Exports page
- Email us at support@infinitegrowventures.com with subject line "SECURITY ALERT"
- We will investigate and respond within 24 hours
Security Best Practices for Users
Protect Your Account
- Use a strong, unique password (12+ characters, mixed case, numbers, symbols)
- Never share your password with anyone
- Log out when using shared or public computers
- Enable 2FA (two-factor authentication) when available
Protect Your Files
- Only upload files from trusted sources (Stripe, PayPal directly)
- Download and verify exported files, then delete from our servers
- Do not share file download links (they contain access tokens)
- Delete old exports you no longer need
Protect Your Computer
- Keep your operating system and browser updated
- Use antivirus/anti-malware software
- Avoid accessing TrestleFinance on public Wi-Fi (use VPN if necessary)
- Be cautious of phishing emails claiming to be from TrestleFinance
Phishing Warning:
We will never ask for your password via email. Our domain is trestlefinance.com. Be suspicious of emails from similar-looking domains.
Security Transparency
Our Commitments
- We will never sell your data to third parties
- We will notify you of material security changes
- We will maintain industry-standard security practices
- We will cooperate with security researchers (responsible disclosure)
Reporting Vulnerabilities
If you discover a security vulnerability in TrestleFinance, please report it responsibly:
- Email support@infinitegrowventures.com with subject "SECURITY VULNERABILITY"
- Provide detailed steps to reproduce the issue
- Give us reasonable time to fix (we aim for 90 days)
- Do not publicly disclose until we've patched
We appreciate responsible disclosure and will acknowledge security researchers who help us improve.
Questions About Security?
We're happy to discuss our security practices in detail. Contact our team anytime.