Skip to main content
Back to home

Security

Your financial data is sensitive. Here’s how we protect it.

Encrypted at Rest
TLS/SSL Encrypted
BCrypt Hashed

Authentication

Simple Budget uses JSON Web Token (JWT) based authentication with the HS256 signing algorithm. Access tokens are short-lived, expiring after 15 minutes, to minimise the window of exposure in the event of a token compromise. Refresh tokens are valid for 7 days and are stored securely in Redis with automatic expiration. When you log out, your refresh token is immediately invalidated.

Password Security

Your password is never stored in plain text. We use BCrypt, an industry-standard adaptive hashing algorithm, to hash passwords before storage. BCrypt incorporates a salt and is designed to be computationally expensive, making brute-force attacks impractical. Even if our database were compromised, your password would remain protected.

Data Encryption

In Transit

All communication between your browser and our servers is encrypted using TLS (Transport Layer Security). This ensures that your financial data, credentials, and any other information transmitted cannot be intercepted or read by third parties.

At Rest

Your data is stored in PostgreSQL databases with encryption at rest enabled. Database backups are also encrypted. Redis, used for caching and session management, is configured with append-only file persistence and runs in an isolated network environment.

Infrastructure

Our application runs in containerised environments using Docker, with each service (frontend, backend, database, cache) isolated in its own container on a private network. The backend API is built on .NET 10 with ASP.NET Core, benefiting from Microsoft’s security-hardened framework, built-in protection against common web vulnerabilities (CSRF, XSS, SQL injection), and regular security patches.

Access Controls

Simple Budget implements role-based access control for shared budgets. Budget owners can invite collaborators and control their permission levels. Each API request is authenticated and authorised to ensure users can only access data they own or have been explicitly granted permission to view.

Data Isolation

All database queries are scoped to the authenticated user’s account. Entity Framework Core’s parameterised queries prevent SQL injection attacks. Your financial data is never accessible to other users unless you explicitly share a budget with them.

Monitoring and Incident Response

We use structured logging via ILogger<T> across all services to monitor for unusual activity and potential security events. In the event of a security incident, we will notify affected users within 72 hours and take immediate action to contain and remediate the issue.

Responsible Disclosure

If you discover a security vulnerability in Simple Budget, we encourage responsible disclosure. Please report security issues to security@simplebudget.au. We ask that you give us reasonable time to investigate and address the issue before public disclosure. We appreciate the security community’s efforts in helping keep our users safe.

Questions

For security-related inquiries, contact us at security@simplebudget.au. For general privacy questions, see our Privacy Policy.

SimpleBudget

Helping families and individuals build financial confidence together — manual budgeting done right.

Join the waitlist

Be the first to know when we launch. No spam.

We'll only email you about the launch. Read our Privacy Policy.

Important  · General advice only. Simple Budget is a personal record-keeping and budgeting tool. We are not a financial advisor, do not provide financial, investment, tax, or legal advice, and do not hold or transmit money on your behalf. Information shown is general only — speak to a qualified professional before making financial decisions.

© 2026 Simple Budget. All rights reserved.

Simple Budget AU PTY LTD · ABN 54 697 674 187