Your money is yours. We just read the receipts.
Shelter cannot move your money. It cannot store your bank password. It cannot sell your data. Here are the receipts.
Last updated 2026-05-25
No transfers. No password. No card.
These are absences, not promises. There is no endpoint in the codebase that can move your money, store a bank password, or process a card.
How we connect
01Plaid read-only access token
Shelter opens a Plaid Link flow. Plaid handles the bank login. Plaid returns a read-only access token. Shelter never sees your bank password.
FILE / convex/plaid.ts
How we store the token
02AES-256-GCM, random IV, auth tag
Before the Plaid access token is written to the database, it is encrypted with AES-256-GCM. A fresh random IV is generated per token and the auth tag is stored alongside the ciphertext.
FILE / convex/utils/encryption.ts
How you sign in
03Clerk-issued JWT
Authentication is handled by Clerk. Shelter validates a Clerk-issued JWT on every request. Your password is held by Clerk; Shelter never stores it.
FILE / convex/auth.config.ts
How payment works
04Stripe-hosted checkout
Card details are entered into Stripe, not Shelter. Shelter only stores a Stripe customer id and subscription status. Your card number never reaches our servers.
FILE / convex/subscriptionService.ts
How we serve the page
05TLS plus a real header set
shelter.money is served over TLS, terminated by Railway. The web app sets the following response headers on every route:
Content-Security-Policy is currently shipped in Report-Only mode while we tune third-party allowlists. It does not yet block; it reports.
FILE / web/next.config.js
How bank linking actually works
For Plaid's own security practices, read Plaid's trust and safety resources.
Isolation
Your data lives behind your user id.
Every Shelter user's accounts, transactions, and forecasts are scoped by user id at the database layer. No table query returns another user's data. There is no shared pool, no aggregate sold to a partner, no analytics warehouse with your transactions.
Business model
Subscriptions only. That is the whole list.
Shelter is funded by subscriptions. There is no ad code in the app, no affiliate links to financial products, and no analytics partner that sees your transactions. The only way Shelter makes money is if you pay for it.
Things Shelter has not done yet.
Trust is asymmetric. The rest of this page lists what we have done. This panel lists what we haven't. If a security review needs more than what's on this list, we're probably not the right vendor yet.
Every claim on this page is backed by code that ships in the product today. So is every line above.
Vulnerability disclosure
Found something? Tell us.
Email [email protected] with a clear description and reproduction steps. We'll acknowledge on a best-effort basis within 5 business days. We don't run a formal bug bounty today, but we read every report.
Out of scope
- Denial-of-service testing against shelter.money or the Convex backend.
- Social engineering of Shelter staff, Plaid, Clerk, or Stripe.
- Automated scanner output without a reproducible exploit.
- Issues in third-party vendors (report those to the vendor directly).
FILE / .well-known/security.txt
Security FAQ
Questions? Send them.
We read every email. If a security claim on this page doesn't match what you see in the product, tell us.