Security at Kountr

Our approach

Kountr is a small team that handles meaningful financial data. We design with the assumption that bad days happen — networks misbehave, credentials leak, vendors get breached — and we build so that no single failure exposes your books.

Data in transit & at rest

• TLS 1.2+ for all traffic to and from the Service. HSTS preloaded. Older TLS versions and weak ciphers disabled.
• AES-256 encryption at rest for application databases, object storage, and backups.
• Per-tenant scoping at the application and database layer. Workspace IDs are present on every read.
• Hardware-backed key management via AWS KMS (Canada Central region). Keys are rotated and access-logged.

Authentication & access

• Passwords are hashed with argon2id.
• MFA available for all users and required for any Kountr staff with production access.
• Single sign-on (SAML/OIDC) available on Business and Firm plans.
• Role-based access controls: Owner, Admin, Accountant, Member, Viewer.
• Production access by staff is least-privilege, time-boxed, audit-logged, and reviewed quarterly.

Bank connections (Plaid)

• Bank credentials are submitted by you directly to Plaid. Kountr never receives, stores, or has access to your online-banking username or password.
• Plaid access tokens are stored encrypted with envelope encryption and used only by the sync worker.
• You can revoke any connection from Settings → Connections or from my.plaid.com.
• Read more in the Privacy Policy §4.

AI pipeline

AI features (categorization, OCR, the in-app assistant) are routed through a thin server-side proxy. The proxy enforces:

• No-training contractual terms with every model provider we use.
• Zero or short retention with the provider (typically ≤ 30 days for abuse monitoring), encrypted at rest.
• Redaction of credentials, full card numbers, and government IDs before any external call.
• Tenant isolation in the prompt — one request, one workspace — so we can never accidentally mix data across customers.
• Audit logging of every external AI call (timestamp, model, byte counts, redaction events). Logs age out within 30 days.

Read the full AI Disclosure.

Application security

• SDLC with mandatory code review, signed commits, and dependency scanning on every PR.
• Static analysis and secret scanning in CI; runtime dependency vulnerability monitoring.
• CSP, frame-ancestors, SameSite cookies, CSRF tokens, and rate limiting on all auth-sensitive endpoints.
• Backups every 24 hours; point-in-time recovery for 7 days; full disaster-recovery test annually.

Infrastructure

• Hosted on AWS Canada (Central). Production access is restricted to a small on-call rotation.
• Network segmented across public, application, and data subnets; data subnets have no public ingress.
• Per-environment IAM, no shared accounts, no long-lived static keys for humans.

Monitoring & incident response

• 24/7 alerting on anomalous auth, sync failure spikes, and elevated error rates.
• Documented incident response runbook with severity levels and on-call rotation.
• We aim to notify affected customers within 72 hours of confirming a personal-data breach, and earlier where required by law (e.g. PIPEDA real risk of significant harm).

Reviews

• Regular internal security review of the web app and API; we engage external testing as the company grows. We are not currently certified to a formal framework (SOC 2, ISO 27001) — we will say so clearly here if and when that changes.
• Privacy posture maintained under PIPEDA, Quebec Law 25, GDPR/UK GDPR (where applicable), and CCPA/CPRA.

Responsible disclosure

If you believe you’ve found a vulnerability, please email info@kountrfi.ca. Please give us reasonable time to fix the issue before public disclosure; we won’t take legal action against good-faith security research conducted under this policy. PGP key available on request.