Our Commitment
At My Money Right, we understand that you are entrusting us with sensitive financial information. Security is not an afterthought — it is built into every layer of the application. This page describes the specific measures we take to protect your data.
We do not share, sell, or disclose your personal or financial data with any third parties. Your data exists solely to power your experience in the application — nothing else.
HTTPS Everywhere
All traffic is encrypted in transit using TLS 1.2+. HTTP requests are automatically redirected to HTTPS.
JWT Authentication
Session tokens are signed with HS256, expire after 7 days, and are never stored server-side in cookies.
Google OAuth 2.0
We never store your password. Authentication is delegated entirely to Google's secure identity platform.
Rate Limiting
All API endpoints are rate-limited to prevent brute-force and denial-of-service attacks.
Data Isolation
Every database query is scoped to the authenticated user's ID. Cross-user data access is architecturally impossible.
Regular Backups
Your data is backed up regularly. Backups are stored separately from the primary database.
Application Security
My Money Right is built following OWASP security guidelines. Key measures include:
- Input validation: All user inputs are validated and sanitized on the server before processing or storage.
- SQL injection prevention: We use parameterized queries via better-sqlite3 — raw string interpolation into SQL is never used.
- XSS protection: HTTP security headers (including Content-Security-Policy) are set via Helmet.js on all API responses.
- CORS: Cross-origin requests are restricted to known application origins.
- File uploads: Uploaded files are validated for type and size, stored outside the web root, and served through controlled endpoints.
Infrastructure Security
- The application runs in isolated Docker containers, reducing the attack surface between components.
- NGINX acts as a reverse proxy, handling TLS termination and request routing before traffic reaches the application.
- The database and file storage volumes are not publicly accessible — all access is brokered through the authenticated API layer.
- Server access is restricted to authorized personnel via SSH key authentication only.
Your AI Keys
If you choose to use AI-powered features, you supply your own API key (OpenAI, Google Gemini, or Anthropic). These keys are:
- Stored in the database associated with your user account.
- Used only to process your own AI requests — never shared or used for any other purpose.
- Never logged in plain text in server logs.
Vulnerability Disclosure
We take security reports seriously. If you discover a vulnerability in My Money Right, please report it responsibly:
- Email: security@mymoneyright.ai
- Please include a description of the vulnerability and steps to reproduce it.
- Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 30 days).
We appreciate responsible disclosure and will acknowledge your report within 48 hours.
Incident Response
In the event of a confirmed security incident affecting user data:
- We will investigate and contain the incident as quickly as possible.
- Affected users will be notified via email within 72 hours of confirmation.
- We will provide a clear description of what happened, what data was affected, and what we are doing about it.
Security Updates
We regularly update our dependencies and server software to address known vulnerabilities. The application is actively maintained by Tacit Web Solutions, LLC.
Questions
For security-related inquiries, contact us at security@mymoneyright.ai.