Security at spend40

The short version. Your data is encrypted in transit and at rest. We use OTP-only auth (no passwords to leak). We don't sell or share your data. If something goes wrong, we'll tell you within 72 hours.

Authentication

We use passwordless one-time-password (OTP) authentication. Every sign-in requires a 4-digit code delivered to both your registered phone number and email. No password means no password to leak, phish, or reuse from another breach.

• OTP codes expire after 5 minutes.
• Failed-attempt limits and rate limiting block brute-force attempts.
• Sessions are managed with HttpOnly, Secure, SameSite=Lax cookies signed with a server-side secret.
• Sessions expire after 30 days of inactivity.

Encryption

• In transit — TLS 1.3 with strong cipher suites for every request between your device and our servers.
• At rest — AES-256 encryption on all database storage and PDF storage.
• Database — Neon Tech with private SSL connections only.

Where your data lives

• App servers — Google Cloud Run (EU region).
• Database — Neon Tech (US East).
• Email delivery — Resend (US).
• Payments — Paystack (Nigeria/Ghana).

All data transfers between regions are protected by TLS and standard contractual clauses with each provider.

Statement handling

• PDF files are uploaded over TLS and stored encrypted at rest.
• We extract structured transactions and discard the raw PDF after 30 days.
• You can delete any upload — and the transactions extracted from it — instantly from your dashboard.

AI processing

When you use the AI assistant or AI categorisation, we send the relevant transaction details (amount, date, recipient, category) to Anthropic's Claude API for processing. We do not send your name, email, phone, account numbers, or any other directly-identifying information. Per Anthropic's commercial terms, this data is not used to train any model.

Operational security

• Production secrets are stored in Google Secret Manager — never in source code.
• Access to production systems is restricted to a small group of engineers, MFA-required.
• All deploys are reviewed and tracked in source control.
• Dependencies are monitored for known vulnerabilities and patched promptly.
• We log every authentication event for 12 months for forensic review.

Your responsibilities

To keep your account safe:

• Keep your phone and email secure — both are needed to receive your OTP.
• Don't share OTPs with anyone, ever.
• Sign out from shared devices.
• Email security@spend40.com immediately if you suspect unauthorised access.

Incident response

If we discover a security incident affecting your data, we will:

1. Contain and remediate the issue.
2. Notify you by email within 72 hours of confirmation.
3. Report to the Data Protection Commission of Ghana as required by the Data Protection Act, 2012.
4. Publish a public post-mortem within 30 days describing what happened, what data was affected, and what we're doing to prevent recurrence.

Responsible disclosure

Found a vulnerability? We want to hear about it. Email security@spend40.com with a clear write-up. We commit to:

• Acknowledging your report within 48 hours.
• Investigating and patching critical issues within 30 days.
• Crediting you publicly (with your permission) once a fix is in place.

Please give us reasonable time to fix issues before public disclosure, and don't access data that isn't yours.

Compliance

• Ghana Data Protection Act, 2012 (Act 843).
• Bank of Ghana digital-financial-services consumer protection guidance.
• Paystack PCI-DSS Level 1 (we never handle card data ourselves).