Back to Home

Security Architecture

Denareon is designed to protect financial data with encryption, secure authentication, and privacy-minded operational controls.

Architecture at a glance

Layered controls for financial data, provider connections, and private documents

How Denareon handles sensitive workflows

Denareon is built around authenticated server routes, read-only financial integrations, encrypted provider credentials, and scoped storage access. The product collects the context needed to run dashboards, budgets, planning, alerts, and connected-account workflows without turning the signed-in app into a marketing-tracking surface.

We keep security communication factual: Denareon is financial software, not a bank, and this page explains the controls we operate rather than claiming third-party certifications we have not obtained.

// Request boundary
{ session: 'required', origin: 'trusted' }
↓ AUTHORIZE + VERIFY ↓
// Data boundary
{ tokens: 'encrypted', documents: 'owner-gated' }
[PUBLIC CLAIMS STAY FACTUAL]

Authenticated access

Sensitive workflows require an active Denareon session, and security-sensitive routes enforce authorization on the server.

Encrypted provider tokens

Banking and brokerage provider tokens are encrypted at rest when stored, with production configured to fail closed if encryption is unavailable.

Owner-gated documents

Private documents are served through authenticated document routes that check metadata ownership before reading storage objects.

Verified provider events

Provider webhooks use signature or secret validation and idempotency records before changing account state.

Device-level controls

Two-factor authentication, trusted devices, biometrics, and Eye Privacy help protect account access on supported platforms.

No ad surveillance in-app

Public marketing pages use cookieless analytics; the signed-in dashboard does not load ad pixels or session replay.

Operational safeguards

Security is treated as an operating system for the product: request origin checks, per-route authorization, rate limits, webhook verification, and conservative data-retention controls all work together.

  • Read-only bank and brokerage connections through provider-mediated authorization flows.
  • Provider callback URLs are derived from trusted Denareon origins, not arbitrary request hosts.
  • Rate limits protect AI endpoints, admin login, and other sensitive security workflows.
  • Security headers include HSTS, frame protection, content-type protection, referrer policy, permissions policy, and a CSP rollout in report-only mode.
  • Security questions can be sent to [email protected]; privacy rights and data practices are documented separately.

For security questions, contact [email protected]. For data practices and privacy rights, see our Privacy Policy.