Security

Your money's data — in your seat.

Financial data is among a founder's most sensitive assets. We know this. We keep our infrastructure, processes and policies transparent.

  • End-to-end encryption

    All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database backups are protected with separate keys.

  • Enterprise-grade infrastructure

    We run on Cloudflare (edge, DDoS protection) and Neon PostgreSQL (point-in-time recovery, daily backups). No SSH tunnels or VPNs — the database is reached only through the application layer.

  • Multi-tenant isolation

    Every organization's data is isolated by orgId. The API layer enforces it — no way to see another company's records. Role-based permissions (owner/admin/editor/viewer) give you internal isolation as well.

  • Modern identity management

    Session-based auth on better-auth. Passwords are hashed with bcrypt; session cookies ship with the __Secure- prefix and are HTTPS-only in production. Multi-org switching, invites and device sessions are all controlled.

  • KVKK & GDPR compliant

    Explicit consent, data portability, right to erasure — one click away. Turkey-oriented servers (EU region). Disclosure notice and DPA available on request.

  • AI data: no training, no tracking

    We use Claude Sonnet 4 for categorization and Q&A. Data sent through the Anthropic API is not used for model training. Logs are kept only for debugging and deleted within 30 days.

What we do not do

  • We don't sell your data to third parties
  • We don't use it in ad networks
  • We don't train AI models on your data
  • We don't store your bank login credentials — only PDF/Excel statements
Frequently asked
What happens to my data if I delete my account?+

Settings → Account → Delete marks it immediately; permanent deletion within 30 days. For faster deletion, email support@eventiqs.com.

Can I export my data?+

Yes. CSV, Excel and JSON formats, one click — full transaction history, categories, vendors. No lock-in.

What happens in case of a security incident?+

Per KVKK article 12 we notify affected users and the KVKK Authority within 72 hours. Our incident response procedure is documented and tested.

How long are backups kept?+

Neon point-in-time recovery (7 days) + daily snapshots (30 days). Disaster scenario: RPO < 1 hour, RTO < 4 hours.

Found a security issue?

Let us know under our responsible disclosure policy — we reply within 48 hours.

security@eventiqs.com
Security