Security Architecture
Denareon is designed to protect financial data with encryption, secure authentication, and privacy-minded operational controls.
Architecture at a glance
Layered controls for financial data, provider connections, and private documents
How Denareon handles sensitive workflows
Denareon is built around authenticated server routes, read-only financial integrations, encrypted provider credentials, and scoped storage access. The product collects the context needed to run dashboards, budgets, planning, alerts, and connected-account workflows without turning the signed-in app into a marketing-tracking surface.
We keep security communication factual: Denareon is financial software, not a bank, and this page explains the controls we operate rather than claiming third-party certifications we have not obtained.
Authenticated access
Sensitive workflows require an active Denareon session, and security-sensitive routes enforce authorization on the server.
Encrypted provider tokens
Banking and brokerage provider tokens are encrypted at rest when stored, with production configured to fail closed if encryption is unavailable.
Owner-gated documents
Private documents are served through authenticated document routes that check metadata ownership before reading storage objects.
Verified provider events
Provider webhooks use signature or secret validation and idempotency records before changing account state.
Device-level controls
Two-factor authentication, trusted devices, biometrics, and Eye Privacy help protect account access on supported platforms.
No ad surveillance in-app
Public marketing pages use cookieless analytics; the signed-in dashboard does not load ad pixels or session replay.
Operational safeguards
Security is treated as an operating system for the product: request origin checks, per-route authorization, rate limits, webhook verification, and conservative data-retention controls all work together.
- Read-only bank and brokerage connections through provider-mediated authorization flows.
- Provider callback URLs are derived from trusted Denareon origins, not arbitrary request hosts.
- Rate limits protect AI endpoints, admin login, and other sensitive security workflows.
- Security headers include HSTS, frame protection, content-type protection, referrer policy, permissions policy, and a CSP rollout in report-only mode.
- Security questions can be sent to [email protected]; privacy rights and data practices are documented separately.
For security questions, contact [email protected]. For data practices and privacy rights, see our Privacy Policy.