Security
Effective Date: February 12, 2026 Last Updated: February 12, 2026
Architecture
papertail runs on Google Cloud Platform:
- Cloud Run — stateless backend API (Python/FastAPI), scales to zero
- Firestore — database, encrypted at rest with Google-managed keys
- Firebase Anonymous Auth — device authentication, no passwords or personal accounts
- Firebase Cloud Messaging (FCM) — push notification delivery
- Plaid API — bank data access (read-only)
- Firebase Hosting — static website
There are no self-managed servers. All infrastructure is managed by Google Cloud.
Authentication
- The mobile app authenticates with Firebase Anonymous Auth — each device gets a random UID with no email, password, or personal account
- Every API request includes a Firebase ID token verified server-side on each call
- The Plaid webhook endpoint validates request signatures using HMAC-SHA256
- No session tokens are persisted — authentication is stateless
Encryption
- In transit: All communication uses TLS 1.2+ (Plaid API, FCM, Firestore, Cloud Run)
- At rest: Firestore data is encrypted with AES-256 using Google-managed encryption keys
- Plaid access tokens are stored in Firestore, encrypted at rest
- Bank credentials are never handled by papertail — Plaid manages all bank authentication
Access Control
- Cloud Run services require authenticated requests (Firebase ID tokens)
- Firestore security rules restrict access to account-scoped data
- One subscription covers one bank connection and up to two devices (partner sharing via 6-character code)
- Notification recipients can only view budget data for their linked account
Data Minimization
- Only transaction date, merchant name, amount, and category are stored
- No account numbers, routing numbers, Social Security numbers, or bank login credentials are accessed
- Bank balance is fetched in real-time from Plaid and not persisted separately
- Plaid’s incremental sync cursor means only new or modified transactions are retrieved each cycle
- Push notifications contain budget summaries only, not raw transaction data
Vulnerability Management
Dependency Scanning
- GitHub Dependabot monitors Python (
requirements.txt) and Dart (pubspec.yaml) dependencies for known vulnerabilities - Alerts are reviewed and patched according to severity
Patching
| Severity | Response | Remediation |
|---|---|---|
| Critical (CVSS 9.0+) | 24 hours | 7 days |
| High (CVSS 7.0-8.9) | 48 hours | 14 days |
| Medium (CVSS 4.0-6.9) | 1 week | 30 days |
| Low (CVSS 0.1-3.9) | 2 weeks | 90 days |
Code Review
- All changes go through pull request review before merging to
main - GitHub Actions runs automated tests on every pull request (backend + Flutter)
Incident Response
In the event of a suspected compromise:
- Revoke affected Plaid access tokens via Plaid Dashboard
- Rotate Cloud Run environment secrets
- Review Cloud Run and Firestore audit logs
- Notify affected users via push notification and email
Data Retention and Deletion
See our Privacy Policy for full details on what data is collected, how long it is retained, and how to delete it.
Third-Party Services
| Service | Purpose | Security |
|---|---|---|
| Plaid | Bank data access | SOC 2 Type II, encrypts all data in transit and at rest |
| Google Cloud / Firebase | Hosting, database, auth, notifications | SOC 2, ISO 27001, encrypts all data at rest |
| Apple App Store | iOS app distribution and subscriptions | App Review, sandboxed execution |
| Google Play Store | Android app distribution and subscriptions | Play Protect, app signing |
papertail does not use any analytics SDKs, advertising networks, or third-party tracking.
Contact
For security concerns, email support@papertail.app.