ClearFlow is built around a simple principle: your data is yours, and protecting it is our responsibility. Here is exactly what we do to keep it safe.
bcrypt password hashing
Email two-factor authentication
Read-only bank access
No bank credentials stored
No ads, no data selling
Authentication
Two layers of protection on every sign-in.
Every ClearFlow account is protected by a password and a time-limited verification code sent to your email at every sign-in.
bcrypt password hashing
Passwords are never stored in plain text. We hash every password using bcrypt with a cost factor of 12 — even if our database were compromised, your original password could not be recovered.
Active on all accounts
Email two-factor authentication
Every sign-in requires a 6-digit verification code sent to your registered email address. Codes expire after 10 minutes and cannot be reused. This prevents unauthorized access even if your password is compromised.
Active on all accounts
Secure session management
Sessions are issued as signed JWT tokens stored in httpOnly, Secure, SameSite=Lax cookies. Session tokens are inaccessible to JavaScript, protecting against cross-site scripting attacks.
Active on all accounts
Session expiry
Sessions expire automatically after 30 days, requiring re-authentication. Signing out immediately invalidates your session cookie. There is no persistent "remember me" that bypasses 2FA.
Active on all accounts
Data Security
What we store, how we store it.
A clear breakdown of how your data is handled at every layer of the application.
Passwords
Hashed with bcrypt (cost factor 12). Never stored, logged, or transmitted after entry. Password changes require the current password for verification.
Bank access tokens
Teller and Plaid access tokens are stored in our database for daily transaction sync. Used only for read-only retrieval and deleted immediately when you disconnect a bank.
Bank credentials
ClearFlow never receives, stores, or has access to your bank username, password, PIN, or security questions. These are handled exclusively by Teller and Plaid.
Transaction data
Transaction descriptions, amounts, and merchant names are stored to display in your budget. Pending transactions that are dismissed are deleted. Confirmed expenses are retained until you cancel your account.
Data in transit
All communication between your browser and our servers is encrypted using HTTPS with TLS. Connections to Teller in production use mutual TLS (mTLS) certificate authentication.
Account deletion
When you cancel your account, all data is immediately and permanently deleted — profile, household, budgets, expenses, reports, bank connections, and activity logs. No recovery is possible after deletion.
Bank Connectivity
Read-only access. Always.
Bank connections are strictly limited to reading transaction data. ClearFlow cannot move money, initiate payments, or modify your accounts in any way.
Powered by Teller.io
Teller is our primary bank connectivity provider — a licensed financial data aggregator that connects directly to financial institutions using bank-approved APIs.
Mutual TLS in production
API calls to Teller in production environments use mutual TLS certificate authentication — both our server and Teller's API mutually verify identity before any data is exchanged.
No credential storage
Your bank username and password are entered directly into Teller's secure widget and are never sent to ClearFlow's servers. We receive only an opaque access token.
Instant revocation
Disconnecting a bank immediately revokes the connection token in our database and on Teller's end. No further data is retrieved after disconnection.
Responsible Disclosure
Found a security issue?
We take vulnerability reports seriously and respond promptly.
Security Disclosure Policy
Contact us confidentially before public disclosure
If you discover a potential security vulnerability in ClearFlow, please report it privately before disclosing publicly. Email security@clearflow.app with a description, steps to reproduce, and any supporting evidence. We will acknowledge within 48 hours and provide a resolution timeline.
We ask that you do not access or modify other users' data during testing, do not disrupt service availability, and allow reasonable time for us to resolve the issue before public disclosure. We will credit researchers who report valid vulnerabilities, if desired.