Security

Your HSA expense data is sensitive. Here's how we protect it.

Encryption

AES-256 encryption at rest

All receipt images are stored with AES-256 server-side encryption. Your database is hosted on encrypted storage volumes.

HTTPS / TLS 1.2+ in transit

All data between your device and our servers is encrypted via TLS 1.2+. We enforce HTTPS on every connection with no HTTP fallback.

Backups

Daily backups

Your database is backed up daily with 30-day retention. Receipt images are stored with high durability.

Application Security

Passwords hashed with bcrypt

Receipt access via time-limited pre-signed URLs (15-minute expiry)

Stripe webhook signature verification

File upload validation (type and size restrictions)

Full Data Export

Your data is always yours. You can export all of your expense records (CSV) and receipt images (ZIP) at any time from Settings. We believe your data should never be locked into our platform.

Your data is backed up daily and encrypted at rest (AES-256) and in transit (TLS 1.2+).

Questions?

If you have questions about our security practices, contact us at info@hsaiq.com.