Security

How Comma protects
your data.

Your financial data is encrypted in your browser before it ever reaches our servers. We can't read it. We can't share it. We couldn't hand it over even if we wanted to.

AES-256-GCM encryption No open banking Zero bank credentials

The problem

What is open banking — and why doesn't Comma use it?

Most finance apps connect directly to your bank. Whether it's open banking APIs (like CDR in Australia or PSD2 in the UK) or screen scraping, the result is the same: a third-party server has continuous, readable access to your complete financial history.

How other apps work

🏦

Your bank

Holds all your transactions

⚠️

Third-party provider

Reads your transactions in plaintext

🔴

The app's servers

Stores and processes your readable data

How Comma works

📄

You export a CSV

A file on YOUR computer. No credentials shared.

🔐

Your browser encrypts it

AES-256-GCM with your password as the key

Encrypted blob stored

We can see data exists. We can't read it.

The difference isn't a policy. It's architecture. Other apps promise not to misuse your data. Comma can't access it at all — the maths won't let us.

Architecture

How Comma's data pipeline works — layer by layer.

Every step is designed so your readable financial data never leaves your device.

01
📄

CSV Import

Your device

You export a CSV from your bank — a file that stays on your computer. Comma reads it in-browser using the File API. The raw data never leaves your machine.

File read via browser File API — no upload

Auto-detection of 39 bank formats across 5 countries

Parsed, categorised, and rendered entirely client-side

02
🔐

Client-side Encryption

Your device

Your password derives an encryption key via PBKDF2-SHA256 (600,000 iterations). Data is encrypted with AES-256-GCM — authenticated encryption with a unique salt and IV per operation. All via the Web Crypto API.

PBKDF2-SHA256, 600,000 iterations — resistant to brute force

AES-256-GCM — authenticated encryption, tamper detection

Unique salt + IV per encryption — no repeated ciphertexts

03
🗄️

Supabase Storage

Server

Encrypted blobs are stored in Supabase Pro (Sydney region). Row Level Security ensures each user can only access their own rows. We see that data exists — we cannot read what it contains.

SOC 2 Type II compliant infrastructure

Row Level Security — each user isolated at the database level

Sydney region — data stays in Australia

04
💳

Stripe Payments

Separate

Stripe handles all payments as Merchant of Record. PCI DSS Level 1 compliant. Your card details never touch our servers. Payment data is completely separate from your financial data.

PCI DSS Level 1 — highest level of payment security

Zero overlap with your financial transaction data

05

Vercel Hosting

Edge

The marketing site and app are deployed on Vercel's edge network with Sydney as the primary region. Cookie-free analytics only — no tracking pixels, no fingerprinting.

Edge network — fast global delivery, Sydney primary

Cookie-free analytics — no tracking cookies or fingerprinting

No server-side processing of financial data

06
🤖

AI Providers

Optional

BYO API key. Claude, ChatGPT, or Gemini — your browser talks directly to the provider. Comma's servers never see your prompts, your responses, or your API key.

Browser-to-provider direct — no proxy through Comma

API key stored in localStorage only — never synced to servers

Real questions

The questions worth asking before you trust any app with your finances.

Don't take our word for it. Ask these of every finance app.

Scenario

What if Comma is breached?

An attacker gets encrypted blobs — ciphertext that is computationally infeasible to decrypt without your password. There is no master key, no backdoor, no admin panel. The architecture makes a data breach a non-event for your financial privacy.

Scenario

What if I forget my password?

We cannot recover your data. That's the point. If we could recover it, so could an attacker. Free tier data lives in your browser. Pro tier encrypted data requires your password — always.

Scenario

What if someone steals my laptop?

Free tier data lives in localStorage, protected by your OS login. Pro tier data requires your Comma password to decrypt — even with full browser access, the encrypted blobs are unreadable without it.

Scenario

Can Comma employees read my data?

No. The architecture makes it physically impossible — even with full database access, we see only ciphertext. This isn't a policy; it's a mathematical constraint.

Scenario

What about the AI feature?

AI requests go from your browser directly to your chosen provider (Anthropic, OpenAI, or Google). Comma's servers never see this data. You choose the provider, bring your own API key, and can disable the feature entirely.

Scenario

Can a government demand my data?

They can demand what we have — encrypted blobs. We cannot comply with a request to produce readable financial data because we don't hold the keys. We'd hand over ciphertext. They'd need your password.

Our commitments

What we never do.

Not "we try not to" — never. These are design decisions, not policies.

🚫

Never connect to your bank. CSV only. No open banking, no credentials — ever.

🚫

Never store plaintext transactions. Encrypted blobs only. Your readable data never leaves your device.

🚫

Never sell, share, or monetise your data. Revenue comes from software sales — one-time purchases.

🚫

Never run ads. No advertisers, no sponsored categories, no "partner" offers.

🚫

Never use tracking cookies. Cookie-free analytics only. No fingerprinting.

🚫

Never log AI conversations. Browser-to-provider direct. We see nothing.

🚫

Never store your AI API key on our servers. It stays in your browser only.

🚫

Never require an account for the free tier. Full dashboard, no signup, no tracking.

🔍

Don't trust our claims. Verify our architecture.

Every layer of Comma's security is documented on this page — from CSV parsing to key derivation to authenticated encryption. No black boxes. If you're a security researcher, we welcome the conversation.

Responsible disclosure welcome

Why trust Comma

Trust signals.

📂

Transparent Architecture

Every encryption decision documented. PBKDF2-SHA256 key derivation, AES-256-GCM authenticated encryption, Web Crypto API — no proprietary black boxes.

🛠️

Built & used daily

Built to solve the founder's own problem. Used on real finances since 2025. 2,460 merchant patterns. 50+ categories. 39 bank formats.

🌏

Australian entity

Registered with ASIC. Subject to the Australian Privacy Act. Database in Sydney. Serving 5 countries.

ABN 21 696 227 746

Ready to take control of your finances — privately?

No account needed. No bank connection. Try it free.

Open the app → Read our Privacy Policy →