Security at k25x

We treat your financial data the way we'd want our own treated. That means concrete defaults — not just policies.

How your data is protected

Your data stays on your device

Transactions, balances, and goals live in your browser. Cloud sync is optional — you turn it on if you want to use k25x on more than one device.

Strong encryption for anything sensitive

Bank tokens and your two-factor secret are encrypted before they touch storage. The encryption key is held in a way that even a malicious browser extension cannot copy it.

Two-factor authentication is required

Every account uses an authenticator app code on sign-in. Works with 1Password, Authy, Google Authenticator, Bitwarden — whichever you already use. You'll get recovery codes when you set it up; keep them somewhere safe.

Optional password to lock the app

Add a master password and the app re-prompts for it whenever you've been idle for 30 minutes. The password never leaves your device — we use it locally to unlock the encryption key.

AI input is sanitized before it leaves your browser

Anything you type into the AI advisor is cleaned of common tricks attackers use to manipulate language models. You can also run the AI fully offline on your machine (Settings → AI Privacy) so nothing leaves at all.

Threat model — what we defend against

Threat	Defense
XSS via user-supplied transaction text	Strict CSP with nonce + strict-dynamic; sanitize-on-render
Prompt injection via emails/SMS/PDFs	ai-sanitize.ts neutralizes injection markers; magic-byte checks on uploads
Filesystem read of browser profile	Optional PBKDF2 password vault — without password, encrypted credentials unrecoverable
Token-budget exhaustion / abuse	Per-user monthly envelope, file-size limits on AI uploads
Cookie tampering for local-only bypass	Middleware blocks /api/plaid, /api/lean, /api/email-parse, /api/stripe when cookie set
Cross-tab DEK exposure	Per-tab in-memory; auto-locks after 30 min of inactivity
Sentry/PostHog leaking PII	Both scrub email + numeric clusters; both honor disable-analytics flag
LocalStorage corruption silent reset	loadValidated() quarantines bad data + surfaces a recovery toast

What we don't defend against: a user who installs malicious browser extensions. Extensions can read the page DOM and execute arbitrary JS — no in-page mitigation reliably stops them. We document the risk and don't pretend otherwise.

Responsible disclosure

Found a security issue? Don't open a public GitHub issue. Email security@k25x.ai and we'll respond within 72 hours under safe-harbor.

Acknowledge: within 72 hours.
Assess + scope: within 5 business days.
Fix or mitigate: within 30 days for high-severity issues; 90 days for medium; lower-severity items roll into the next release.
Credit: we credit reporters in our changelog unless you prefer anonymity.

We don't currently run a paid bug bounty, but we do maintain a public hall of fame for verified reports.

Documentation

How we handle your data, in plain English.

Privacy Impact Assessment

GDPR/CCPA-aligned audit of data flows + sub-processors.

Support

Other ways to get in touch.