lytixbaselytixbase
Pricing
Sign in

Security

How we protect your data

lytixbase handles sensitive financial data. We take a defence-in-depth approach: multiple independent layers of protection so that no single failure exposes your information.

AES-256-GCM encryption on all financial data

Every transaction, budget entry, income stream, spending log, savings goal, tax setting, and alert threshold is encrypted at the application level before it is written to the database. This is not just infrastructure-level disk encryption: the data is ciphertext in the database itself. A database breach would yield only encrypted blobs, not your financial records.

Encryption at rest

  • Every financial record is encrypted with AES-256-GCM before it reaches the database
  • Transactions, budget entries, income streams, tax settings, savings goals, spending logs, and alert thresholds are all encrypted
  • Authenticated encryption (AEAD) ensures data integrity alongside confidentiality
  • Even with direct database access, an attacker sees only ciphertext

Data isolation

  • PostgreSQL Row-Level Security (RLS) policies enforce strict per-user data boundaries
  • Every query is scoped to the authenticated user at the database level, not just the application level
  • Separate encryption for OAuth tokens, BYOK API keys, and MCP personal access tokens
  • MCP tokens are stored as irreversible SHA-256 hashes

Transport security

  • All traffic is encrypted via TLS (HTTPS only)
  • HTTP Strict Transport Security (HSTS) with 2-year max-age and preload
  • Content Security Policy (CSP) restricts script and resource origins
  • X-Frame-Options and frame-ancestors prevent clickjacking
  • Permissions-Policy disables camera, microphone, geolocation, and payment APIs

API protection

  • Every API endpoint is rate-limited with database-backed counters
  • Input validation via Zod schemas on all mutation routes
  • JWT session tokens are signed, short-lived, and carry no sensitive data
  • Admin routes require explicit role verification
  • Cron endpoints are protected by bearer token authentication

Key management

  • Encryption keys are stored as environment variables, never in code or database
  • Key rotation is supported without downtime: deploy a new key, existing data is decrypted with the old key and re-encrypted on next write
  • Keys are validated on startup (must be exactly 32 bytes / 64 hex characters)

Infrastructure

  • Hosted on Vercel (serverless, no persistent attack surface)
  • Database on Neon PostgreSQL (encrypted at rest at the infrastructure level, in addition to our application-level encryption)
  • No analytics, tracking scripts, or third-party cookies
  • OAuth-only authentication (no passwords stored)

Transparency

lytixbase is built and maintained by one developer. No security team, no SOC 2 audit (yet). What we do have is a genuine commitment to protecting your data with the same tools and practices used by much larger companies: AES-256 encryption, RLS isolation, rate limiting, CSP headers, and key rotation.

If you discover a security vulnerability, please report it to support@lytixbase.com.au. We take every report seriously.