Cana handles your financial data. We take that seriously. Here is exactly how we protect your money and your information.
Last updated: April 26, 2026 · questions? security@usecana.com
Every connection to Cana is encrypted using TLS 1.2 or higher — enforced at the network edge by Vercel. There is no unencrypted path to our servers. All data stored in our database is encrypted at rest using AES-256, provided by Supabase.
TLS 1.2+ on all connections — no exceptions
AES-256 encryption for all stored data
API keys stored as encrypted environment variables — never in code
Plaid access tokens stored encrypted — never exposed to the browser
Every user's data is isolated at the database level using Row Level Security (RLS) policies. This means even if there were an application-layer vulnerability, your data cannot be accessed by another user. Access control is enforced by the database itself, not just the application code.
Database-level Row Level Security — enforced by PostgreSQL, not just app logic
JWT session tokens expire automatically and rotate on each login
No employee can access your financial data without a logged audit trail
We do not sell your data to advertisers or third parties — ever
Cana's banking services are powered by Unit, whose banking partners are FDIC-insured. Your deposit accounts are protected up to $250,000 per depositor. We don't hold your money — it sits in regulated, insured bank accounts.
FDIC-insured deposit accounts through Unit's banking partners
Unit is SOC 2 Type II certified
Supabase (database) is SOC 2 Type II certified
Vercel (hosting) is SOC 2 Type II certified
Plaid (bank linking) is SOC 2 Type II certified and PCI DSS compliant
Cana supports phishing-resistant two-factor authentication using TOTP authenticator apps (Google Authenticator, Authy, 1Password). We strongly recommend enabling it. You can turn it on in Settings at any time.
TOTP-based 2FA available for all accounts
Compatible with Google Authenticator, Authy, 1Password, and any TOTP app
TOTP is phishing-resistant — codes generated locally, never transmitted
All Cana internal admin accounts require MFA — no exceptions
In the event of a security incident, we commit to notifying affected users within 72 hours if personal or financial data may have been compromised. We will provide clear information about what happened, what data was affected, and what steps we are taking.
72-hour notification commitment for any data breach
Immediate credential revocation upon suspected compromise
Coordination with Unit and Plaid for any financial data incidents
Post-incident report published for significant events
If you discover a security vulnerability in Cana, we want to know about it. Please report it to us privately and we commit to responding within 48 hours, working with you to understand and resolve the issue, and keeping you informed of our progress.
security@usecana.comInfrastructure certifications
Unit (banking)
FDIC-insured banking partner
Supabase
Database and authentication
Vercel
Hosting and edge network
Plaid
Bank account linking