Nova logo
Security

Security

Last updated November 14, 2025

NovaPride Security

Last Updated: November 14, 2025

Your financial data is sensitive, and we take security seriously. This page explains exactly how NovaPride protects your information, what access we have (and don't have), and what measures are in place to keep your data safe.

🔒 Core Security Principles

1. Read-Only Access (We Cannot Move Your Money)

NovaPride never has access to:

  • Your bank login credentials (username/password)
  • The ability to initiate transfers or payments
  • The ability to move money out of your accounts
  • Your banking security questions or PIN numbers

What we CAN access (read-only):

  • Account balances
  • Transaction history
  • Account holder name
  • Institution name and account type

Why this matters: Even if NovaPride were compromised, an attacker could not use our system to transfer or steal your money. We physically cannot do it—the access permissions do not exist.

🏦 How Plaid Works (Our Security Infrastructure)

NovaPride uses Plaid Inc. to connect to your financial institutions. Plaid is the industry-standard infrastructure used by:

  • Venmo (60M+ users)
  • Robinhood (30M+ users)
  • Cash App (50M+ users)
  • Acorns, Betterment, Chime, Coinbase, Credit Karma, Dave, Digit, SoFi, Stash, and 8,000+ other apps

How the Connection Works

  1. You enter your bank credentials → Goes directly to Plaid's secure servers (encrypted)
  2. Plaid authenticates with your bank → Uses your credentials once to establish a secure connection
  3. Plaid generates a secure token → This token is what NovaPride uses to request data
  4. Your credentials are never stored by Plaid or NovaPride → They're used once, then discarded

What NovaPride receives: A secure API token that only allows us to request read-only financial data.

What NovaPride never receives: Your bank username, password, security questions, or any credentials.

Plaid Security Standards

  • SOC 2 Type II certified (audited annually for security controls)
  • ISO 27001 certified (international standard for information security)
  • PCI DSS compliant (payment card industry standard)
  • AES-256 encryption (same standard used by banks and the military)
  • TLS 1.2+ for data in transit (industry-standard encryption)

Learn more: Plaid Security Overview

🔐 Data Encryption

Data in Transit (Moving Between Systems)

  • TLS 1.3 encryption for all connections between your browser and NovaPride servers
  • Certificate pinning to prevent man-in-the-middle attacks
  • HTTPS enforced for all pages (no unencrypted HTTP allowed)

Data at Rest (Stored in Our Database)

  • AES-256 encryption for all stored financial data
  • Encrypted database backups (also AES-256)
  • Separate encryption keys for different data types (key rotation enabled)
  • Field-level encryption for sensitive personal information (chosen names, pronouns)
  • Hosted by Supabase (SOC 2 Type II certified, runs on AWS infrastructure)

What This Means for You

Even if someone gained physical access to the database servers, your financial data would be unreadable without the encryption keys (which are stored separately and access-controlled).

🛡️ Infrastructure Security

Hosting & Network

  • Vercel Edge Network (enterprise-grade hosting with DDoS protection)
  • Supabase (database with automatic backups, point-in-time recovery)
  • Multi-region backups (your data is replicated across geographic regions)
  • Automated security patching (infrastructure updates applied within 48 hours of critical patches)

Access Controls

  • Multi-factor authentication (MFA) required for all team members
  • Role-based access control (RBAC) (team members only see data necessary for their role)
  • Audit logging for all access to production systems
  • Principle of least privilege (no one has more access than needed)

Monitoring & Incident Response

  • 24/7 automated threat detection (Sentry error tracking, Vercel security monitoring)
  • Real-time alerts for unusual activity (failed login attempts, API anomalies)
  • Incident response plan (documented procedures for security events)
  • 90-day security review cadence (vulnerability scanning, dependency updates)

🧑‍💻 Application Security

Authentication

  • Supabase Auth (industry-standard authentication provider)
  • Bcrypt password hashing (with salt, computationally expensive to crack)
  • Session tokens expire after 7 days (automatic re-authentication required)
  • Password reset via email (time-limited, single-use tokens)

Data Validation

  • Server-side validation for all inputs (cannot be bypassed by client manipulation)
  • SQL injection prevention (parameterized queries, ORM protection)
  • Cross-site scripting (XSS) protection (input sanitization, Content Security Policy headers)
  • Cross-site request forgery (CSRF) protection (token validation)

Privacy Controls

  • Mask sensitive merchants (hide transaction details for sensitive categories)
  • Rename merchants (change how transactions appear in your view only)
  • Export your data (download all your data in JSON/CSV format anytime)
  • Delete your account (permanent deletion within 30 days, backups purged within 90 days)

🔍 Third-Party Audits & Compliance

Current Status (Beta)

NovaPride is currently in private beta. We are actively working toward:

  • SOC 2 Type I certification (target: Q2 2026)
  • GLBA compliance (Gramm-Leach-Bliley Act for financial services)
  • CCPA compliance (California Consumer Privacy Act)
  • Annual penetration testing (external security firm, starting Q2 2026)

Transparency Commitment

We will publish security audit results and compliance certifications publicly once completed. If you have specific security questions or need documentation for your risk assessment, email: [email protected]

🚨 What to Do If You're Concerned

Disconnect Anytime

You can disconnect your bank accounts instantly:

  1. Go to SettingsConnected Accounts
  2. Click Disconnect next to any account
  3. This revokes NovaPride's access token immediately (Plaid stops syncing data)

What happens after disconnecting:

  • We stop receiving new transactions immediately
  • Historical data remains visible in your dashboard (unless you delete your account)
  • You can reconnect the same account later if desired

Delete Your Account

You can permanently delete your account and all associated data:

  1. Go to SettingsAccount
  2. Click Delete Account
  3. Confirm deletion

What happens after deletion:

  • Your account is immediately deactivated (you cannot log in)
  • All data is marked for deletion and removed from production systems within 30 days
  • Encrypted backups are purged within 90 days
  • We retain minimal logs for legal/fraud prevention (no financial data, no PII)

Report a Security Issue

If you discover a security vulnerability, please report it responsibly:

Email: [email protected]
Subject: Security Vulnerability Report

We will respond within 48 hours and keep you updated as we investigate and remediate the issue.

❓ Frequently Asked Questions

Can NovaPride employees see my bank login credentials?

No. Your credentials go directly to Plaid's servers (never to NovaPride), and Plaid uses them once to establish a connection, then discards them. NovaPride only receives a secure API token.

Can NovaPride move money out of my accounts?

No. We have read-only access. We cannot initiate transfers, payments, or any transactions. This is enforced by Plaid's API permissions.

What if NovaPride gets hacked?

We have multiple layers of defense (encryption, access controls, monitoring), but in a worst-case scenario:

  • Your bank credentials are not stored, so they cannot be stolen from us
  • Your financial data is encrypted, so it would be unreadable without the keys
  • We cannot move money, so your funds are safe
  • We would notify you immediately and provide guidance

What if Plaid gets hacked?

Plaid has extensive security measures (SOC 2, ISO 27001, PCI DSS) and is trusted by 8,000+ apps. If Plaid were compromised:

  • Your credentials are not stored by Plaid (used once, then discarded)
  • Read-only access means funds cannot be stolen
  • You can revoke access by changing your bank password (this invalidates all tokens)

How do I know NovaPride is legitimate and not a phishing scam?

Verify these indicators:

  • Official domain: novapride.financial (with HTTPS lock icon)
  • Email address: @novapride.financial (not Gmail, Yahoo, etc.)
  • Plaid connection: When linking accounts, you'll see Plaid's branding and "Powered by Plaid"
  • No requests for credentials outside Plaid: We will NEVER ask for your bank username/password via email, text, or phone

Red flags (not legitimate NovaPride):

  • Email from @gmail.com, @outlook.com, or other free providers
  • Requests to send credentials via email or text
  • Links to domains other than novapride.financial
  • Requests for your full SSN, credit card numbers, or bank PIN

What happens to my data if NovaPride shuts down?

We will provide 90 days' notice before shutting down the service. During this time:

  • You can export all your data (transactions, goals, insights)
  • We will guide you to alternative services
  • After shutdown, all data will be permanently deleted within 30 days

Does NovaPride sell my data to advertisers?

No. We do not sell, rent, or share your personal or financial data with advertisers, data brokers, or third parties for marketing purposes. See our Privacy Policy for details.

Is my data shared with the LGBTQ+ community features (NovaConnect)?

Only what you choose to share. Financial data (balances, transactions, account names) is never shared with the community unless you explicitly post it. Your chosen name and pronouns are visible in NovaConnect if you participate, but you control what you post.

What if I lose my phone or laptop?

Your data is protected by your account password. If you lose a device:

  1. Change your NovaPride password immediately (from another device)
  2. This will invalidate all existing sessions (the lost device cannot access your account)
  3. Optional: Disconnect bank accounts temporarily for peace of mind

We recommend enabling password manager autofill (1Password, Bitwarden, etc.) to use a strong, unique password for NovaPride.

📬 Contact Security Team

For security questions, concerns, or to report a vulnerability:

Email: [email protected]
Response time: Within 48 hours
PGP key: Available upon request (for sensitive disclosures)

For general privacy questions, see our Privacy Policy or email [email protected].

📋 Security Changelog

We publish updates to this page when security practices change:

  • November 14, 2025 – Initial security documentation published
  • September 15, 2025 – Beta launch with Plaid integration, AES-256 encryption, TLS 1.3

Bottom line: Your security is not an add-on—it is core to everything we build. We are transparent about what we protect, how we protect it, and what we are working toward. If you have concerns, we want to hear them.