Security Overview

SubAudit takes the security of your data seriously. This page explains the measures we have in place to protect your information.

1. Encryption in Transit

All communication between your browser (or mobile app) and SubAudit's servers is encrypted using TLS (Transport Layer Security). This ensures that data cannot be intercepted or tampered with while in transit. All connections are served over HTTPS.

2. Gmail Integration Security

SubAudit connects to Gmail using OAuth 2.0, the industry-standard authorisation protocol:

• We request read-only access to your Gmail messages – SubAudit cannot send, delete, or modify your emails
• You authenticate directly with Google; SubAudit never sees your Google password
• OAuth tokens are stored securely and can be revoked at any time from your Google Account permissions or from the SubAudit Account page
• No raw email content is stored. Emails are processed transiently to extract subscription metadata (service name, price, date) and then discarded. Full email bodies are never persisted in our database.

3. Bank Connectivity Security

Bank connections are provided through Salt Edge, a regulated bank connectivity provider:

• Salt Edge is authorised under applicable financial regulations to provide account information services
• The connection uses a redirect-based flow: you are redirected to Salt Edge's secure interface to authenticate directly with your bank. SubAudit never sees, handles, or stores your bank login credentials.
• The connection provides read-only access to account information and transaction history only
• SubAudit cannot initiate payments, set up or cancel direct debits, or transfer funds
• No financial credentials are stored by SubAudit – all bank authentication is handled by Salt Edge and your bank

4. Password Security

For users who register with an email and password:

• Passwords are hashed using bcrypt, a one-way adaptive hashing algorithm designed for secure password storage
• Plain-text passwords are never stored or logged
• We encourage the use of strong, unique passwords for your SubAudit account

5. Data Storage and Access Controls

• User data is stored in a secured PostgreSQL database with access restricted to authorised application processes only
• Session cookies are configured with secure attributes and appropriate expiration
• Internal access to production systems is limited and audited

6. What We Do Not Store

To minimise risk, SubAudit deliberately avoids storing sensitive data that is not needed:

• No raw email content: Full email bodies are never persisted
• No bank credentials: Your bank login details are handled entirely by Salt Edge and your bank
• No payment card numbers: SubAudit does not process or store card details

7. Responsible Disclosure

If you discover a security vulnerability in SubAudit, we encourage responsible disclosure. Please report it to:

• Email: security@subaudit.app

We ask that you:

• Provide sufficient detail for us to understand and reproduce the issue
• Allow reasonable time for us to address the vulnerability before public disclosure
• Do not access, modify, or delete other users' data during your research

We appreciate the security research community's efforts in helping keep SubAudit and its users safe.

8. Contact

For general security questions:

• Security: security@subaudit.app
• Support: support@subaudit.app

Website: https://subaudit.app