How we think about security at Steddi
When you hand over your financial data to an app, you are trusting that team with some of the most sensitive information you have. We do not take that lightly. This post is about how we approach security at Steddi, what decisions we have made, and why.
We are not going to bury the lead. The short version: we never see your bank login credentials, all data is encrypted, and we do not sell or share your information with anyone. If that is all you needed to hear, great. For everyone who wants the details, keep reading.
We never see your bank password
When you connect a bank account, you are not giving Steddi your login credentials. The entire authentication flow happens through Plaid, a third-party provider used by thousands of financial apps. You log in directly with Plaid, they verify your identity with your bank, and then they send us a secure token that lets us pull your transactions. Read-only. We cannot move money, make payments, or change anything on your account.
Think of it like a valet key for your car. It lets us see the odometer reading, but we cannot drive anywhere.
Security is a baseline, not a feature we upsell
Encryption everywhere
Every piece of data that travels between your browser and our servers is encrypted with TLS. Your data at rest is encrypted too. Our database provider, Convex, handles infrastructure security and maintains SOC 2 compliance. Authentication is managed by Clerk, another industry-standard provider that handles passwords, sessions, and multi-factor auth so we do not have to build those systems ourselves (and risk getting them wrong).
We partner with specialists
Some companies try to build everything in-house. We deliberately chose not to do that for anything security-critical. Plaid for bank connections. Clerk for authentication. Convex for the database. Each of these companies has entire teams dedicated to the thing they do. We would rather use the best tools available than pretend we can match the security expertise of a company that does nothing else.
What we do not do
We do not sell your data. We do not share it with advertisers. We do not run analytics on your spending to recommend products. We do not store your bank credentials. We do not use your financial information for anything other than showing it back to you in a useful way.
Our business model is Pro subscriptions. That is how we make money. When your business model is clear, it is a lot easier to make the right security decisions because there is no incentive to cut corners with user data.
What you can do
We recommend enabling two-factor authentication on your Steddi account. Use a strong, unique password. If you ever notice anything suspicious, email us at security@steddi.com and we will investigate immediately. We take every report seriously.
Security is not a checkbox we tick and forget about. It is something we think about with every feature we build and every vendor we choose. If you have questions about how we handle your data, reach out. We are happy to answer.
The Steddi Team