Security

Your financial data is handled
with appropriate seriousness.

BeanStack is built for organizations that cannot afford a data incident. Here is exactly how we protect your financial records.

Encryption
At rest
AES-256 encryption on all stored data.
In transit
TLS 1.3 for all data in motion.
Data isolation
Tenant isolation
Hard boundaries enforced at the database layer via PostgreSQL Row-Level Security on every table. One organization cannot read another's data — not at the application layer, at the database itself.
Query scoping
Every query is scoped to organization_id at the engine level. No query reaches the database without org context resolved from a verified JWT.
Authentication
Identity
Powered by Supabase Auth. JWTs are verified server-side on every request with a hard timeout to prevent authentication hangs.
MFA
TOTP-based second factor. Authentication level is enforced per-request — sensitive operations require a step-up token even within an active session.
Sessions
30-minute idle timeout with a 2-minute warning before automatic logout.
Access control
RBAC
Role-based access control with fine-grained capability permissions. Roles and permissions are loaded from the database and evaluated at both the API gateway and the capability execution layer — two independent checks on every request.
Rate limiting
Redis-backed rate limiting bucketed by organization, then user, then IP. Prevents both runaway automation and targeted abuse.
Security headers
Content Security Policy with per-request nonces. CSRF protection on all state-changing requests. no-store cache control on all authenticated routes.
AI and your data
Contractual guarantee

Your books are not training data.

BeanStack does not train AI models on customer financial data — ever. Your books are not used to improve BeanStack's AI for other customers. Your data is processed through AI models for your benefit only, and never retained by model providers.

AI provider
We use Anthropic Claude models via API.
API terms
Anthropic's API terms prohibit training on API-submitted data.
Contractual protections
We have contractual guarantees in place.
Audit trail

Every decision. Every override. Logged.

01

Every user action is recorded: what changed, what it changed from, who made the change, when, and from which IP address and session.

02

Every AI decision is logged with a confidence score, the source document it referenced, and the rule it applied — a full provenance chain.

03

Every login, permission change, and data export is a named event in the audit log. Sensitive and high-risk events are flagged separately.

Responsible disclosure

If you've found a security issue, email security@beanstack.ai. We investigate and respond within 48 hours.

Questions about how
we handle your data?

Reach out directly. We'll answer every question about how we handle your data and connect you with our team if needed.

Contact us View privacy policy

AES-256 encryption  ·  TLS 1.3 in transit  ·  GDPR compliant