Security Architecture

Read-only access. Encrypted data. No transaction capability.

Cashvyne is built around the principle that a treasury intelligence platform has no reason to initiate transactions. Our bank connections are read-only by design. Your cash cannot be moved through Cashvyne — period.

Request Access Security Questions
Abstract security architecture visualization — layered shield concept representing encrypted financial data protection

Security by design, not security as an afterthought

Read-Only Bank Access

All bank connections are provisioned at the reporting/inquiry permission level. Cashvyne cannot initiate payments, approve wires, access credit products, or modify account settings. This is enforced at the bank permission layer, not just software logic.

TLS 1.3 in Transit

All data moving between Cashvyne and bank APIs, SFTP servers, ERP systems, and user browsers uses TLS 1.3 with Perfect Forward Secrecy. Older TLS versions are not accepted at any endpoint.

AES-256 at Rest

All stored data — balance snapshots, transaction records, forecasting models, user data — is encrypted at rest using AES-256. Encryption keys are managed in a dedicated KMS isolated from application databases.

No Password Storage

Cashvyne uses OAuth tokens for bank connections that support it, and SSH key pairs for SFTP connections. We never store online banking usernames or passwords. Tokens are encrypted at rest and rotated per bank policy.

Customer Data Isolation

Each customer's data is logically isolated at the database level using customer-scoped keys and row-level security. No cross-customer data access is possible through any application path. Your data is never used to train models for other customers.

SOC 2 Type II Controls

Cashvyne is designed with SOC 2 Type II controls across security, availability, and confidentiality trust service criteria. Formal audit process initiated. Detailed controls documentation available to enterprise customers under NDA.

Technical Controls

Controls summary for IT and security reviews

Control AreaImplementationStatus
Data encryption in transitTLS 1.3 with PFS on all connectionsActive
Data encryption at restAES-256, dedicated KMSActive
Bank credential managementOAuth tokens / SSH keys only; no passwords storedActive
Multi-factor authenticationTOTP-based MFA required for all user accountsActive
Customer data isolationDatabase-level row security + customer-scoped keysActive
SOC 2 Type II auditControls designed to SOC 2 trust service criteriaIn Progress
Penetration testingAnnual third-party pen test of all external endpointsActive
SSO (Enterprise)SAML 2.0 and OIDC; available on Enterprise planEnterprise

Security documentation available upon request.

IT and information security teams can request our full security controls summary and SOC 2 readiness documentation under NDA.

Request Documentation