Security

Splits is a ledger, not a money transmitter. We never see your bank credentials and we never move money on your behalf — payments settle off-platform via Venmo or Cash App deep links.

Bank linking

Plaid handles credentials end-to-end. We only receive an access token, which is encrypted at rest with AES-256-GCM before it touches our database. Tokens are never logged or returned from an API.

Database isolation

Every user-facing table enforces row-level security in Postgres. Sensitive writes (notifications, friend requests) go through audited SECURITY DEFINER functions so a compromised client can't fabricate them.

Reporting a vulnerability

Email security@splitshq.com. We'll acknowledge within two business days.