Security at ExpenseAI

Last updated: February 28, 2026

ExpenseAI handles sensitive financial data. We take that seriously. This page describes the technical measures we use to protect your information.

Encryption at Rest

Every piece of data stored in our systems is encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). This is the same encryption standard used by banks, government agencies, and Fortune 500 companies.

• User accounts and credentials
• Expense records and descriptions
• Receipt scan results and metadata
• Profile information (names, addresses, signatures)
• Generated reports and PDFs

Each encrypted record includes a unique initialization vector (IV) and authentication tag, ensuring that identical data produces different ciphertext and that any tampering is detected.

Encryption in Transit

All communications between your device and ExpenseAI are encrypted using TLS 1.3 (Transport Layer Security). This includes:

• Web dashboard (HTTPS with HSTS)
• API calls from browser and mobile
• SMS webhook callbacks from Twilio
• Report download links

Authentication

ExpenseAI supports multiple authentication methods, all secured with industry best practices:

• SMS verification codes — Cryptographically generated 6-digit codes with 5-minute expiration
• Password hashing — bcrypt with cost factor 12 (passwords are never stored in plaintext)
• Session tokens — HMAC-SHA256 signed with cryptographic nonces, httpOnly cookies, SameSite policy
• Google OAuth 2.0 — Delegated authentication through Google's infrastructure
• Timing-safe comparison — All token validations use constant-time algorithms to prevent timing attacks

SMS Security

Our SMS integration with Twilio includes:

• Webhook signature validation — Every incoming SMS is verified against Twilio's cryptographic signature to prevent spoofing
• Phone number verification — All phone numbers are normalized and validated before processing
• No sensitive data in SMS — Report links use time-limited tokens, not raw data

Data Handling

• Minimal data collection — We only store what's needed to track expenses and generate reports
• No data selling — Your financial data is never sold, shared with advertisers, or used for any purpose other than providing our service
• Time-limited tokens — Report download links expire after 7 days. Magic login links expire after 2 hours
• One-time use tokens — Login verification codes and magic links are deleted after use

Infrastructure

• Hosting — Vercel (SOC 2 Type II compliant, ISO 27001)
• Data storage — Upstash Redis (SOC 2 Type II compliant, encrypted at infrastructure level)
• SMS provider — Twilio (SOC 2 Type II, PCI DSS Level 1)
• AI processing — Anthropic Claude (SOC 2 Type II compliant, data not used for training)
• Email — Resend (SOC 2 Type II compliant)
• Payments — Stripe (PCI DSS Level 1, SOC 2 Type II)

AI and Your Data

ExpenseAI uses Claude by Anthropic for expense categorization and receipt scanning. Your data sent to Claude is:

• Transmitted over encrypted connections (TLS)
• Not used to train AI models (per Anthropic's API data policy)
• Not stored by Anthropic beyond the API request lifecycle
• Limited to the minimum context needed for the current operation

Responsible Disclosure

If you discover a security vulnerability, please email us at security@getaiadmin.com. We take all reports seriously and will respond within 48 hours.