Security

BeaverSave is built to handle sensitive household financial information. We take that responsibility seriously. This page describes the security measures in place today and the principles guiding the build.

BeaverSave uses passwordless sign-in powered by Supabase Auth. We do not store passwords. Pick one of two first-factor methods at the login screen:

• Email magic link — you receive a one-time link by email; clicking it signs you in.
• Phone OTP (SMS) — you receive a 6-digit code by text; entering it signs you in. Requires the SMS provider (Twilio) to be configured at the project level; see docs/SMS_SETUP.md.

Both methods eliminate the risk of password reuse and most credential stuffing attacks. Leaked-password protection is enabled at the Supabase Auth layer using the Have I Been Pwned database; any future password-related feature cannot use a credential that has appeared in a known breach.

Two-step verification is required on every BeaverSave account. After your first-factor sign-in (email magic link or phone OTP), you must verify a second factor to reach the app. Two factor types are supported:

• Authenticator app (TOTP) — 6-digit code from 1Password, Authy, Google Authenticator, iCloud Passwords, or your password manager’s built-in TOTP feature. Recommended primary factor.
• SMS code — 6-digit code texted to your phone. Supported as a factor option (and as a backup to TOTP), but weaker than TOTP because of SIM-swap attack risk. Requires the SMS provider to be configured.

On first sign-in you’ll be walked through enrollment. The middleware enforces this — every protected route checks that your session is at authenticator-assurance-level 2 (AAL2) and otherwise routes you to the enrollment or verification page.

Recovery posture: Supabase does not currently issue paper recovery codes. To avoid a single-factor lockout, we strongly recommend enrolling two factors on different devices (e.g. TOTP in your password manager plus SMS as a backup, or TOTP on two separate devices). If you ever lose every enrolled factor, a household member with service-role access can reset them using scripts/mfa-reset.mjsin the BeaverSave repo; email privacy@beaversave.app to start that process.

All traffic between your browser and BeaverSave is encrypted in transit with HTTPS (TLS). HTTPS is enforced site-wide via HSTS (HTTP Strict Transport Security) with a two-year max-age, includeSubDomains, and the preload directive, so browsers will refuse plain-HTTP connections to BeaverSave domains.

Data is encrypted at rest in our Supabase Postgres database.

Every response from BeaverSave includes a set of security headers that constrain what the browser will do with the page:

• X-Frame-Options: DENY — BeaverSave cannot be embedded in an iframe on another site, blocking clickjacking attacks.
• X-Content-Type-Options: nosniff — browsers must respect declared content types and cannot MIME-sniff a response into a different type.
• Referrer-Policy: strict-origin-when-cross-origin — limits how much URL information is sent to third-party sites when users click out, so in-app paths don’t leak.
• Permissions-Policy — explicitly disables browser features BeaverSave does not use (camera, microphone, geolocation, USB, MIDI, payment, sensors, etc.), reducing the surface area available to any hypothetical script.
• X-Powered-By header removed — we do not advertise the framework or version powering the site.
• Content-Security-Policy — restricts framing (frame-ancestors ‘none’), form submission targets (form-action ‘self’), base-tag hijacking (base-uri ‘self’), and legacy plugin content (object-src ‘none’), and upgrades any insecure subresource requests to HTTPS.

Every database query is filtered by Postgres Row-Level Security policies that scope reads and writes to your own household. A user in one household cannot read, modify, or delete data belonging to a different household — the database itself enforces this, not just the application code.

BeaverSave keeps a per-account audit log of sensitive actions: account-deletion requests, legal-acceptance recordings, push subscriptions added or removed, household invites created or revoked, settings changes, and sign-in events. Each entry is timestamped with the IP address and user-agent it came from.

You can view your own audit log at /legal (recent activity, last 20 events). If you ever see something you didn’t do, change your email account’s password right away and email privacy@beaversave.app so we can investigate.

You can permanently delete your BeaverSave account at any time from Settings → Delete account, with a typed-phrase confirmation. Deletion cascades through your profile and the personal data tied to you, leaves the household intact for any remaining members (with your authorship cleared), and writes a final account.deletion_completed entry to the audit log before your auth identity is removed.

BeaverSave does not store:

• Your bank account passwords or login credentials.
• Full payment card numbers (BeaverSave is not a payment processor).
• Government identifiers (SSN, driver’s license) unless a future feature requires it, in which case we’ll tell you first and ask for consent.

When the planned Plaid integration goes live, Plaid (not BeaverSave) handles authentication with your bank. We receive only the access tokens needed to read transaction and balance data, and we receive them read-only.

BeaverSave runs on a small set of trusted infrastructure providers. Each has its own published security posture.

• Supabase — database, authentication, file storage. SOC 2 Type II certified. supabase.com/security
• Vercel — application hosting and edge network. SOC 2 Type II certified. vercel.com/security
• Plaid (planned) — read-only bank data aggregation when the integration goes live. SOC 2 Type II certified. plaid.com/safety

Certifications listed are published by each vendor at the URLs above and may change; please verify on their sites.

BeaverSave’s database is hosted in the United States (Supabase us-east-1). Vercel serves the application from its global edge network with US origin.

Because sign-in goes through your email, the strongest thing you can do to protect your BeaverSave account is to keep your email account secure: a strong unique password, two-factor authentication enabled, and only opening magic links you requested yourself. If anyone has access to your email, they have access to your BeaverSave account.

If you find a security vulnerability or believe your account has been accessed without your permission, please email hello@beaversave.app with the subject line Security. We’ll acknowledge within a few days and work with you on next steps.

We won’t pursue legal action against good-faith security researchers who responsibly disclose issues to us before public disclosure.