SecuritySecurity And Data Protection

Our Security And Data Protection

Last updated May 15, 2026

Security Summary

Ultracorp is built as a private personal finance dashboard. Plaid Link is available only after a user signs in and completes Supabase WebAuthn MFA verification with a passkey or hardware security key. Plaid access tokens, Plaid client credentials, and database credentials are handled by server-side API routes and are never exposed to client-side JavaScript.

AuthenticationSupabase Auth plus WebAuthn MFA before Plaid Link
Token handlingServer-side exchange and storage only
TransportHTTPS for production traffic
Data scopeBalances, accounts, holdings, and securities metadata

Access Controls

  • Supabase Auth gates access to the account dashboard.
  • Supabase WebAuthn MFA uses passkeys or security keys for phishing-resistant verification before Plaid Link is rendered.
  • Plaid API routes require a Supabase AAL2 session whose authentication-method reference includes mfa/webauthn.
  • Plaid Items are stored per authenticated user and are loaded only for that user.
  • Administrative access to hosting, database, and authentication systems uses MFA and should prefer passkeys or hardware security keys where supported.
  • Application and database credentials are managed through environment variables and platform access controls.
  • Public compliance pages are separated from authenticated account and Plaid data views.

Plaid Token And Credential Handling

Ultracorp does not collect financial institution usernames or passwords. Institution authentication happens inside Plaid Link. After the user consents, Ultracorp exchanges the Plaid public token on the server and stores the resulting access token in server-side managed storage. The browser receives only the account and portfolio data needed to render the dashboard.

  • Plaid client ID and secret are read only by server-side routes.
  • Plaid public tokens are exchanged server-side and are not persisted in browser storage.
  • Plaid access tokens are not returned in API responses or page markup.
  • OAuth return handling uses a dedicated redirect URL so Plaid Link can resume securely after institution login.

Production Safeguards

  • Production traffic is served over HTTPS.
  • Application responses include HSTS, content type, referrer, permissions, frame ancestor, and content security policy headers.
  • Plaid redirect handling uses the configured production domain.
  • Server-side storage is used for Plaid Items instead of filesystem-only local storage.
  • Database access should be limited to the application and authorized administrators.
  • Hosting and application logs are reviewed for authentication failures, Plaid API errors, and abnormal activity.
  • Dependencies and hosted platform services are patched on an ongoing basis.
  • Deletion requests include removal of stored Plaid tokens and cached Plaid-derived data.

Data Minimization

Ultracorp requests Plaid data only for the user-facing dashboard: account names and types, balances, investment holdings, securities metadata, and institution metadata. Ultracorp does not sell Plaid data, use it for advertising, or share it with unrelated third parties.

Security Reporting

Suspected unauthorized access, security issues, privacy issues, or data deletion requests can be reported using the contact address below. Reports are reviewed by the owner and developer of the application.

Contact

Ricky Rauch, Owner / Developer
rickyrauch@gmail.com

Your financial superpower.

Private Plaid-powered portfolio visibility.
Open app