Security

Spendbox is built with security as a first-class design constraint. We use end-to-end encryption, hardened infrastructure and continuous monitoring.

We've never had a breach. We'd like to keep it that way.

All data is encrypted in transit using TLS 1.3, with HSTS preloading and modern cipher suites only.

All data at rest is encrypted using AES-256 with keys managed via AWS KMS.

Email content is encrypted at the field level before being written to the database.

Hosted on AWS in the us-east-1 and eu-west-1 regions. SOC 2 Type II audited.

All access to production requires hardware-key-backed MFA. No shared credentials.

Daily encrypted backups with point-in-time recovery up to 30 days.

SOC 2 Type II audited. Latest report available under NDA — write to security@spendbox.co.

GDPR compliant. DPA available on request. Data residency for EU customers in eu-west-1.

CCPA compliant for California residents. Privacy Shield successor framework: in progress.

We run a coordinated disclosure program. If you believe you've found a security issue, please email security@spendbox.co with details.

We'll respond within 24 hours and fix verified issues within 7 days for critical, 30 for non-critical.

We pay bounties starting at $250 for verified issues, up to $10,000 for critical findings.