We take security seriously at YBudget. Here's how we protect your financial data.
OAuth instead of Password
- OAuth 2.0 with Google eliminates password vulnerabilities
- Implemented with Convex Auth in
convex/auth.ts
Organizational Isolation
- Every query is filtered by
organizationId - Organizations can only access their own data
Role-Based Access Control
member(read-only) →lead(edit, manage teams) →admin(full control)requireRole(ctx, "admin")validates permissions inconvex/users/permissions.ts
Credentials & Secrets
- All secrets stored server-side in Convex Dashboard
- Client never receives API keys
Encryption
- HTTPS/TLS enforced by Convex and Vercel
- Database encrypted at rest on Convex Cloud
JWT Security
- Tokens signed with private keys
- HTTPOnly cookies with SameSite=Strict
Input Validation
- Every function argument validated with Convex validators
Type-Safe Queries
- Prevents NoSQL injection attacks
Internal Functions
- Sensitive operations use
internalMutation/internalQuery
Stripe
- Webhook signature verification
- No credit card data stored
XSS
- CSP headers configured
- React escapes user input
Rate Limiting
- Built into Convex
Infrastructure
- Vercel: HTTPS, DDoS protection, CDN
- Convex Cloud: managed security patches, encrypted backups
For STRIDE analysis and data flow diagrams, see ThreatModel.md.
Email team@ybudget.de with security concerns.