Security
Last updated: January 3, 2026
At OneBudget, we take the security of your financial data seriously. This page outlines the security measures we have in place to protect your information.
Access Controls
The OneBudget team does not access or interact with customer data as part of normal operations. There are cases where a customer requests that OneBudget access their information, or where required by law.
All data access is:
- Access-controlled and limited to essential personnel only
- Accompanied by customer approval or legal authorization
- Documented with the reason for access and the access start and end time
- Logged and monitored for security purposes
Password Security
- Passwords are one-way salted and hashed using PBKDF2 (Password-Based Key Derivation Function 2) with multiple iterations
- Even if our database were compromised, passwords remain protected
- We enforce strong password requirements (length and complexity)
Brute Force Protection
We prevent brute force password attacks by rate-limiting login attempts and implementing account lockout mechanisms after repeated failed attempts.
Data Deletion
Should you choose to delete your OneBudget account, all of your financial data is completely and irreversibly removed from the OneBudget database. We do not simply mark your account as inactive—we completely destroy all account data.
To be clear, you must explicitly request this deletion. If you happen to let your account lapse accidentally, we don't assume you mean "DESTROY ALL MY DATA." That would be a horrible assumption.
Data Retention
We retain account data for a limited period after an account expires (whether through trial expiration or subscription expiration), unless you delete your account as described above. More information on data retention can be viewed in our Privacy Policy.
Infrastructure Security
Our entire infrastructure is built on Amazon Web Services (AWS), which continually manages risk and undergoes recurring assessments to comply with industry standards.
AWS Infrastructure Certifications
- ISO 27001 (Information Security Management)
- SOC 2 Type II (Security, Availability, and Confidentiality)
- PCI Level 1 (Payment Card Industry Data Security)
- FISMA Moderate (Federal Information Security Management)
Our AWS Services
- DynamoDB: NoSQL database with AES-256 encryption at rest
- Lambda: Serverless compute for secure request processing
- API Gateway: Managed API service with built-in security features
- Secrets Manager: Secure storage for API keys and credentials
- CloudWatch: Security monitoring and logging
Infrastructure as Code
Our infrastructure is managed via Terraform, ensuring consistency, reproducibility, and security best practices across all deployments.
Payment Processing (PCI-DSS)
PCI-DSS is a security standard that companies must adhere to when processing cardholder data. We use PCI-DSS certified payment providers to process our subscriptions.
RevenueCat (PCI-DSS Certified)
Manages our subscription billing and entitlements. RevenueCat is PCI-DSS certified and handles all payment data securely.
Stripe (PCI Level 1)
Processes credit card payments for Premium subscriptions. Stripe is a PCI Level 1 Service Provider, the highest level of certification.
Important: Your payment details are sent directly to Stripe's systems and never touch OneBudget servers. We have engineered our payment forms to maximize security.
Bank Connections (Plaid Integration)
OneBudget NEVER sees or stores your bank login credentials.
In order to provide bank connectivity, we partner with Plaid, a financial data aggregation specialist. During this process, OneBudget does not view or store your bank credentials. Instead, we rely upon Plaid and their industry-leading security precautions to ensure your information is safe.
OAuth Authentication
Most financial institutions enable connections through a method called OAuth. OAuth allows OneBudget to access your account and transaction data without you having to provide your online banking credentials to an intermediary. Instead, you authenticate directly with your financial institution, who gives permission (through a digital token) for Plaid to receive the account and transaction information OneBudget needs.
Read-Only Access
OneBudget has read-only access to your transaction data. We can never move money or make changes to your accounts. We can only view transaction history and account balances.
Encrypted Tokens
Plaid issues secure access tokens that are encrypted and stored securely. These tokens can be revoked at any time by disconnecting your bank account in OneBudget settings.
Encryption
All data sent between your computer and OneBudget uses bank-grade encryption or better.
Data in Transit (TLS 1.3)
- OneBudget forces your browser to use an encrypted connection
- We won't let your computer talk to our servers unless the connection is secure
- All HTTPS connections use TLS 1.3, the latest encryption protocol
- No unencrypted data transmission
Data at Rest (AES-256)
- All data stored in DynamoDB is encrypted using AES-256 encryption
- This is the same encryption standard used by banks and government agencies
- Encryption keys are managed securely by AWS Key Management Service (KMS)
Third-Party Services
We work with trusted third-party services to provide OneBudget. Each service has their own security certifications and practices:
Plaid (Bank Connectivity)
SOC 2 Type II certified. Trusted by thousands of financial apps. Handles bank credentials securely using OAuth.
AWS (Infrastructure)
ISO 27001, SOC 2, PCI Level 1 certified. Industry-leading cloud security and compliance.
Anthropic Claude (AI Categorization)
Receives only merchant names and amounts (no account numbers or PII). Does not use your data for training.
Twilio (SMS Verification)
SOC 2 Type II certified. Encrypted SMS delivery for authentication codes. Receives only phone numbers.
RevenueCat (Subscription Management)
PCI-DSS certified. Manages subscription billing securely with Stripe as the payment processor.
Cloudflare (DDoS Protection & CDN)
Provides security against DDoS attacks and serves as our web application firewall. Does not access financial data.
Social Engineering Protection
This massive technical security infrastructure is useless if someone tricks you into handing them your username and password.
1. We Will Never Ask for Your Password
No OneBudget team member will ever initiate communication with you and ask for your username or password. If someone asks you for either of those, it's not us. Only provide your username and password when logging into OneBudget directly.
2. Always Verify the Domain
OneBudget will always use https://app.onebudget.ai or https://www.onebudget.ai as the domain name. Always look for this when logging into OneBudget, or following any link clicked from a bookmark or email.
3. Be Wary of Phishing
Phishing attacks use fake emails or websites that look like OneBudget to steal your credentials. Always verify the sender email address and URL before entering your login information.
Vulnerability Reporting
We take security vulnerabilities seriously and encourage responsible disclosure. If you discover a security vulnerability in OneBudget, please report it to us immediately.
Report security issues to: security@onebudget.ai
Please include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Your contact information
We take all security reports seriously and will respond promptly to investigate and address confirmed vulnerabilities.
Additional Security Resources
For more information about how we protect your data, please see:
- Privacy Policy - How we collect, use, and protect your information
- GLBA Notice - Financial privacy practices under federal law
- Terms of Service - Legal terms and conditions
Contact Us
If you have questions about security or need to report a concern, please contact us:
AB Foundry LLC (d/b/a OneBudget)
1021 E Lincolnway Suite 9643
Cheyenne, WY 82001
Security: security@onebudget.ai
Support: support@onebudget.ai
© 2026 AB Foundry LLC (d/b/a OneBudget). All rights reserved.