Security

Last updated · May 13, 2026

We treat your financial data with the same care a bank treats yours. Here is a plain-English overview of how we protect it. Last reviewed by our team on 2026-05-13.

Encryption

  • In transit: all traffic between your browser and our servers is encrypted with TLS 1.3.
  • At rest: sensitive data in our database is encrypted with AES-256, managed by Supabase + AWS KMS.
  • Backups: daily encrypted backups with rolling retention.

Plaid integration

Pulse connects to your bank through Plaid — the same bank-connection service used by Venmo, Robinhood, and Chime. Specifically:

  • The connection is read-only. We cannot move money in or out of your account.
  • We never see your bank password. Plaid handles credentials inside its own vault.
  • You can revoke Bridge’s access at my.plaid.com at any time.

Authentication

  • Password hashing via bcrypt (managed by Supabase Auth).
  • Optional magic-link sign-in — no password to phish.
  • 2-factor authentication available for all users (free).
  • Session tokens are HTTP-only cookies with secure + same-site flags.

Infrastructure

Bridge runs on Vercel (front-end + serverless API) and Supabase (Postgres + auth + storage), both deployed on top of AWS. The underlying providers maintain SOC 2 Type II certification. Bridge itself is on a SOC 2 readiness path — we have not yet completed an independent audit, and we will not claim otherwise until we have the report in hand.

Access controls

  • Role-based access internally. Engineering staff access prod only via short-lived audit-logged sessions.
  • All admin actions are logged to an immutable audit table.
  • Principle of least privilege — quarterly access reviews.

Incident response

We follow a documented incident-response process with severity tiers and customer notification SLAs. In the event of a confirmed breach affecting your data, we will notify you within 72 hours as required by GDPR and most U.S. state laws.

Our pledge

  • We will never sell your personal information.
  • We will never share your bank data with marketers.
  • We will be honest about what we know and what we don’t.
  • We will report security issues to affected users transparently.

Report a vulnerability

If you discover a security issue, please report it to submissions@bridgecapital.io with the subject line “Security Report.” We will respond within 1 business day.

We do not currently run a paid bug-bounty program. We do acknowledge responsibly-disclosed findings publicly (with the reporter’s permission) and we will not pursue legal action against good-faith researchers.