Trust & security

Security at Forsight

Forsight stores some of the most sensitive information a person owns: financial accounts, balances, transactions, and plans for retirement. We take that seriously. This page explains what we do to protect your data, plainly and without marketing fluff.

Section 01

How we protect your data

Encryption in transit
All traffic between your browser and Forsight uses modern TLS encryption via Let's Encrypt, trusted by every major browser and operating system.
Encryption at rest
Data stored in our database is encrypted at rest by our database provider.
Database authorization
Every database query is gated by row-level security policies that restrict access to your own data, scoped by your authenticated user ID. Even if the application code had a bug, the database would refuse to return another user's data in response to your session.
No financial credentials on our servers
When you link an account, your bank or brokerage credentials are handled by Plaid. They never touch Forsight's servers and we cannot see them.
Section 02

Account security

Two-factor authentication
Optional TOTP-based two-factor authentication. You can enable it from Settings → Security. We issue eight single-use recovery codes at enrollment, stored only as cryptographic hashes. We cannot read them back.
Sensitive-operation elevation
Changing your password or email address requires re-authentication, including a fresh second factor if 2FA is enabled. A leaked email password alone cannot be used to bypass your second factor through the password-reset flow.
Rate limiting
Authentication endpoints are rate-limited. Repeated failed sign-in attempts back off automatically.
Account deletion and data export
From Settings you can export a complete copy of your data as JSON, or permanently delete your account. Deletion revokes every Plaid connection and removes your data from our database within 30 days.
Section 03

Data privacy

We do not sell your data
Forsight does not sell or rent your personal information, and we do not share it with third parties for advertising.
Minimal personal information
We do not collect your Social Security number, your full legal name, or your bank or brokerage account numbers. We do not store credit-card numbers.
Service providers
We share data only with the vendors necessary to operate the service: our database host, application host, financial-account aggregator (Plaid), and transactional email provider. Each is bound by contract to use your data only to provide service to us.
Section 04

Account linking

Powered by Plaid
We use Plaid to connect to financial institutions. Plaid handles the credential exchange, encrypts the connection, and undergoes regular independent security audits.
Disconnect anytime
You can disconnect any linked institution at any time from the app. Disconnecting revokes Plaid's access to that institution on your behalf.
Read-only access
Forsight requests read-only access to your account data. We cannot move money, place trades, or change account settings at your institution.
Section 05

Database and infrastructure

Defense in depth
Authorization is enforced at three layers: in our application code, in middleware that runs on every request, and in the database itself via row-level security policies. A failure at one layer is caught by the next.
Service-role isolation
Administrative database operations use a separate service-role key that is only available to a small set of server-side routes. End-user requests never run with elevated privileges.
Hosted on enterprise-grade providers
Application hosting is provided by Vercel; database, authentication, and storage by Supabase. Both run in major cloud data centers with biometric access controls, 24/7 surveillance, and industry-standard physical security.
Section 06

Engineering practices

Automated security review
Changes touching authentication, multi-factor flows, account linking, the admin surface, or database migrations are reviewed by automated security tooling before deployment. High-confidence findings block the change.
Code review on sensitive changes
Non-trivial changes to security-relevant code paths are reviewed before deployment.
Iterative hardening
We treat security as ongoing work, not a one-time audit. When a review turns up a genuine issue, it gets fixed in the next release.
Section 07

Compliance

Where we are today
Forsight is not currently SOC 2 certified. SOC 2 is an auditor's attestation about internal controls, typically required by enterprise customers during vendor review. It is not required for individual end users.
Where we are headed
If we expand into business-to-business distribution (for example, partnerships with financial advisors), SOC 2 Type 2 certification will be part of that path.
Responsible disclosure

Reporting a vulnerability

If you believe you have found a security vulnerability in Forsight, please report it responsibly. We commit to acknowledging good-faith reports promptly and working with you to resolve verified issues. Please do not exploit, share, or publicly disclose a vulnerability before we have had a reasonable opportunity to address it.

Last reviewed May 2026 · updated when our practices change