ScionHomeSign in →
Security

How we protect your data

Updated April 2026

ScionHome handles sensitive financial data. Security isn't a checkbox for us — it's a core design requirement. Here's exactly what we do to protect your information.

Financial account access

We connect to your bank via Plaid, the industry standard for secure financial data connectivity used by thousands of apps including Venmo, Robinhood, and Betterment.

  • You authenticate directly with your bank — ScionHome never sees your login credentials
  • We receive a read-only access token — we cannot move money, initiate transfers, or make any transactions
  • Access tokens are stored encrypted server-side and never exposed to your browser
  • You can revoke access to any connected account instantly, from within ScionHome or directly at my.plaid.com

Data encryption

  • In transit: All communication between your browser and our servers uses TLS 1.2 or higher. No exceptions.
  • At rest: Your data is stored in Supabase with AES-256 encryption at the database level.
  • Access tokens: Plaid access tokens are encrypted before storage and decrypted only by server-side processes — never returned to any client.

Access controls

  • Row-level security (RLS) policies in our database ensure you can only access your own household's data — even if a bug existed in our application layer, the database would reject unauthorized reads
  • Production system access is restricted to authorized personnel only, with MFA required
  • We use the principle of least privilege — no system or person has more access than they need

Infrastructure

  • Hosting: Vercel — SOC 2 Type II certified, deployed on AWS
  • Database: Supabase — SOC 2 Type II certified, Postgres on AWS
  • Financial connectivity: Plaid — SOC 2 Type II certified, PCI DSS compliant

What we don't do

  • We do not sell your data to third parties
  • We do not share financial data with insurance companies or lenders for pricing purposes without your explicit consent
  • We do not store your bank login credentials — ever
  • We do not have the ability to initiate any financial transaction without your explicit per-action approval

Reporting a vulnerability

If you discover a security vulnerability in ScionHome, please report it responsibly to security@scionhome.com. We will acknowledge receipt within 48 hours and keep you updated as we investigate and resolve the issue. We ask that you not publicly disclose the vulnerability until we've had a reasonable opportunity to address it.

We genuinely appreciate security researchers who help us keep ScionHome safe.

Breach notification

In the event of a data breach that affects your personal information, we will notify you by email within 72 hours of becoming aware of it. We will tell you what data was affected, what we're doing about it, and what you can do to protect yourself.