Fino
Sign inStart free trial
Get started

Security

Your financial data deserves the strictest defaults.

Fino is built with mandatory MFA, encrypted bank token handling, user-scoped data access rules, session history, and reauthentication gates before any sensitive action. Security is not a setting — it is how the product works.

Open FinoSee plans
MFA verified
Tokens encrypted
Session active
Data scoped to user
Reauth gates active
RequiredMFA enforcementNo bypass path
Server-sideToken storageNever in browser
User-scopedData accessAccess-controlled
Reauth gatedSensitive actionsFresh credential check
Full historySession controlRevoke from any device

Security controls

Six layers that protect your data by default.

Each control is active from first sign-in. None require you to find a settings page.

Always on

Mandatory MFA

Multi-factor authentication is required before financial data loads. There is no way to skip it once enrolled. Supported factors include authenticator apps and SMS.

Server-side only

Encrypted bank tokens

Bank access tokens issued by Plaid are handled server-side and never stored in the browser or accessible from client code. The browser never sees a token it could leak.

Access rules

User-scoped records

Every financial collection is protected by server-enforced access rules that restrict reads and writes to the authenticated owner. Other users cannot access your data, period.

Full visibility

Session management

Review all active sessions, see the device and time of each login, and revoke any session remotely. Session history is preserved. Idle sessions auto-expire.

Credential check

Reauthentication gates

Sensitive operations — changing MFA factors, disconnecting a bank, modifying security settings — require the user to prove identity again before proceeding.

No data selling

Privacy by design

Your financial data is never sold or shared with third parties. Privacy and terms links are built into the product. Plaid's end-user privacy policy is surfaced at connection time.

Authentication

Two factors, no exceptions.

Fino uses a secure authentication service for all sign-in flows. After initial sign-in, users are required to enroll in multi-factor authentication before the app loads financial data. Supported methods include TOTP authenticator apps and SMS codes.

Once enrolled, MFA is checked on every login. There is no override, no recovery path that bypasses the second factor, and no way to reach financial collections without a verified session.

TOTP authenticator app support
SMS second factor option
Enrollment required before financial data loads
Reauthentication gates for sensitive changes
FinoSimplify your financial world
Multi-factor authenticationIdentity verified · 2 factors active
Sign inEmail + password verified
MFA checkAuthenticator code accepted
Session createdVerified session · this device
Data accessFinancial collections unlocked
Enrolled factors
Authenticator appPrimary
SMS backupBackup
FinoSimplify your financial world
Data access rulesEnforced at database level
User UIDuid:a7f3k···92zVerified
T
/transactions13,847 records
UID match required
A
/accounts33 records
UID match required
D
/documents815 records
UID match required
R
/receipts204 records
UID match required
E
/events11 records
UID match required

Data isolation

Your records are yours. Nobody else can read them.

Every collection — transactions, accounts, documents, receipts, budgets, events — is protected by server-enforced access rules that require the requesting user's identity to match the record owner. This is enforced at the database level, not just in application code.

Bank access tokens from Plaid are stored server-side and never returned to the client. The browser never sees a token it could exfiltrate.

User-identity-matched access rules on all collections
Bank tokens held server-side only
No cross-user data reads possible
Storage files scoped to user identity path

Session control

See every active session. Revoke any of them.

Fino shows a full history of sign-ins — device type, location, and time. You can see exactly what is logged in to your account and revoke any session from any device, immediately.

Idle sessions are automatically terminated after a period of inactivity. Every session requires a valid MFA-verified token to reach financial data.

Full session history with device and time
One-tap remote session revocation
Idle logout after inactivity period
MFA-verified token required for every session
FinoSimplify your financial world
Active sessions4 devices · last 30 days
Chrome · macOSToronto, ON · Now
This device
Safari · iPhoneToronto, ON · 3h ago
Chrome · WindowsRemote · Yesterday
Firefox · macOSToronto, ON · 3 days ago
Idle sessions expire after inactivity

Technical detail

What is actually under the hood.

Specific controls, not vague promises.

Authentication

  • Secure authentication service
  • Email + password sign-in
  • TOTP authenticator app (MFA)
  • SMS second factor (MFA)
  • Session token validation on all requests
  • Reauthentication for sensitive operations

Encryption

  • AES-256 encryption at rest
  • TLS 1.2+ encryption in transit
  • Bank tokens encrypted server-side
  • Stored files encrypted at rest
  • Keys managed by cloud key management service
  • No plaintext credentials stored

Bank connections

  • Plaid Link for institution connection
  • Access tokens held server-side only
  • Tokens never returned to browser clients
  • Institution deauthorization on disconnect
  • Plaid end-user privacy policy surfaced at link
  • Transaction sync via server-side functions only

Privacy

  • No data sold to third parties
  • No behavioral advertising
  • Privacy policy linked in product
  • Terms of service linked in product
  • Plaid privacy policy linked at connection
  • User-controlled data and account deletion

Move from scattered to sorted

Start building your clearest financial picture.

Start 7-day trial