Security
Security Philosophy
BananaBird is designed around the idea that personal financial data should be treated carefully, deliberately, and with restraint.
Security is not handled as a single feature. It is considered throughout the application, including authentication, authorization, data access, logging, and how financial information is entered and managed.
Account Protection
- Strong password requirements
- Email verification
- Optional Google sign-in
- Multi-factor authentication
- MFA recovery codes
- Recent password confirmation for sensitive actions
- Session regeneration after login
- Rate limiting across application endpoints
Data Protection
BananaBird does not connect to banks, brokerages, credit cards, or other financial institutions. This is intentional. There are no third-party financial data integrations.
All financial information is entered by you - manually or imported from files you provide. This limits the amount of external access involved and keeps you in control of what the application can see.
Application-level authorization checks are used to help ensure users can only access their own data.
Logging & Auditing
Security-related events are logged and audited so important account activity can be reviewed when needed.
This includes events such as authentication activity, MFA-related activity, account protection events, and other security-sensitive actions within the application.
Infrastructure Practices
BananaBird is deployed with a focus on protecting both the application and the infrastructure it runs on. Current practices include:
- Hosted on Amazon Web Services (AWS)
- Full disk encryption for production storage
- Encrypted HTTPS connections for all web traffic
- Firewalls configured to expose only required public services
- Administrative access restricted to authorized IP addresses
- Regular backups stored on encrypted storage
Privacy by Design
- No bank integrations
- No advertising
- No sale of financial data
- No financial profiling
- No third-party financial aggregation
Your Role in Security
Security works best when both the application and the user take reasonable precautions.
- Use a unique password
- Enable multi-factor authentication
- Keep recovery codes somewhere safe
- Review temporary users regularly
- Log out of shared or public devices
- Keep your browser and devices updated
Responsible Disclosure
If you believe you have discovered a security issue, please report it privately through the Support page.
Though we do not run a Bug Bounty program at this time, responsible reports are appreciated and will be reviewed seriously.
Continuous Improvement
Security is reviewed as BananaBird evolves. New features are evaluated for security impact, and additional protections may be added over time where they make sense for the application and its users.