Mt. Money — Security Overview

Last updated: 2026-05-15

Mt. Money handles non-public personal financial information. We operate under Gramm-Leach-Bliley Act (GLBA) principles from day one, and this page summarizes the controls in place. If you are evaluating Mt. Money for use at your business — or if you are a partner reviewing our security posture — this is the starting point. For specifics or audit documentation, contact security@mount.money.

Data protection

Encryption in transit. All connections to Mt. Money use TLS 1.2 or higher. We do not accept unencrypted traffic.

Encryption at rest. All customer data is encrypted at rest by our database provider using AES-256. Highly sensitive fields — including the access tokens we use to retrieve transactions from your financial institutions — are additionally encrypted at the column level using pgp_sym_encrypt with a key Mt. Money manages outside the database.

Tenant isolation. Mt. Money is multi-tenant. Each workspace (one business) is the security boundary. Postgres Row-Level Security policies enforce that boundary at the database layer, in addition to application-layer checks. Per-account access scoping within a workspace lets workspace owners further restrict bookkeepers and accountants to specific bank accounts.

No PII in logs. Application error reporting is configured to scrub personally identifiable information before transmission. Transaction descriptions, account numbers, and merchant names are not logged at the informational level.

Authentication and access

Multi-factor authentication. Time-based one-time password (TOTP) MFA is available for all users via the /account/security page. Mt. Money will require MFA enrollment before any user can connect a bank account.

Administrative access. All of Mt. Money's production infrastructure providers enforce multi-factor authentication for administrative access. WebAuthn passkeys are enrolled across our critical systems as the phishing-resistant primary factor.

Role-based access. Workspaces support five roles (owner, admin, bookkeeper, accountant, viewer) with appropriate permission boundaries. A user can have different roles in different workspaces.

AI assistant

The Mt. Money AI co-pilot is built on a leading commercial large-language-model API. We configure the integration as follows:

• Per-query scope. Only data from the current workspace is sent to the model provider. The model does not have access to data from workspaces you have not selected.
• No training retention. Our agreement with the model provider is configured for zero-data-retention for training. Queries and tool outputs are not used to train the provider's models.
• Tool-based access. The AI calls specific tools (search transactions, get balances, summarize a period, list top vendors, forecast cash flow) that return scoped data — we do not dump full transaction histories into the model's context.
• Citations. AI responses include references to specific transactions for any numerical claim, so you can verify the source.

The AI assistant does not provide financial, tax, accounting, investment, or legal advice. See our Terms of Service.

Vendor and supply chain

All upstream service providers Mt. Money relies on for processing customer data are SOC 2 Type II audited. The full list of subprocessors — covering hosting, database, financial-data connectivity, AI, transactional email, DNS, and source-code hosting — is disclosed in our Privacy Policy.

Vulnerability management

Dependency scanning. All production dependencies are scanned continuously for known vulnerabilities. Critical and high-severity vulnerabilities are patched within the timelines defined in our Vulnerability Patching SLA:

• Critical (CVSS 9.0+): 48 hours
• High (CVSS 7.0–8.9): 7 calendar days
• Medium (CVSS 4.0–6.9): 30 calendar days

Secret scanning. Every push to our source repository is scanned by Gitleaks before merge. Commits containing apparent secrets are blocked. Our .env.local files are never committed.

End-of-life monitoring. We track upstream runtime support windows (Node.js LTS, Postgres, Next.js, macOS) on a quarterly review cadence and plan migrations before any in-use component reaches end-of-life.

Data retention and deletion

Customer data is retained while your account is active. When an account is closed, personal information is deleted or de-identified within 30 days, with the maximum recoverable window from encrypted backups capped at 90 days. Users may request earlier deletion at any time via privacy@mount.money. See the Data Retention and Deletion Policy for the full schedule.

Incident response

If we discover a security incident affecting customer data, we will notify affected users in accordance with applicable state breach notification statutes. Our security contact is security@mount.money.

Compliance and certifications

Mt. Money is in pre-launch and has not yet undergone SOC 2 Type II certification. SOC 2 Type II audit is planned for the year after launch. Until then, we operate under SOC 2 principles internally and use exclusively SOC 2 Type II audited subprocessors.

Reporting a security issue

If you believe you have found a security vulnerability in Mt. Money, please email security@mount.money. We will acknowledge receipt within 48 hours and will work with you in good faith to validate and address the issue. We do not currently operate a paid bug bounty program but welcome responsible disclosure.

Contact

• Security inquiries and reports: security@mount.money
• Privacy inquiries: privacy@mount.money
• General contact: hello@mount.money