Security Overview

SubAudit is a bank-connected subscription intelligence platform. Security and least-privilege access are core to product design.

1. Transport Security

All traffic between clients and SubAudit is encrypted with HTTPS/TLS.

2. Bank Data Security

• Bank connections use regulated providers (for example TrueLayer) and redirect-based authentication.
• SubAudit does not receive or store your online banking credentials.
• Access is read-only and limited to account-information scopes.
• SubAudit cannot move funds or execute payments.
• Recurring-payment imports use a recent three-month history window by default to reduce data exposure.

3. Token and Session Security

• OAuth/session tokens are protected at rest and in transit.
• Session controls and CSRF protections are enforced on authenticated flows.
• Rate limits are applied to sensitive endpoints.

4. Data Minimization

SubAudit stores only the data needed for recurring-payment detection, renewal/trial countdowns, and account operations.

Inbox scanning has been removed; Gmail message access is not required for subscription discovery.

5. Responsible Disclosure

Report security issues to security@subaudit.app.