Security
Your password
never leaves your
browser.
We use Argon2id to derive an authentication token from your password in your browser. Only the derived token reaches our servers — never the password itself. Your data is encrypted with a separate key, also derived locally, that we never see.
The problem
What is open banking — and why doesn't Comma use it?
Most finance apps connect directly to your bank — either by asking for your bank login or by plugging into a third-party "connection" service in the background. Either way, the result is the same: someone other than you ends up with ongoing, readable access to your complete financial history.
How other apps work
Your bank
Holds all your transactions
↓
Third-party provider
Reads everything you spend
↓
The app's servers
Keeps a copy on their servers
How Comma works
You export a CSV
A file on YOUR computer. No credentials shared.
↓
Your browser encrypts it
Locked with your password before it leaves your device
↓
Encrypted file stored
We can see data exists. We can't read it.
The difference isn't a policy. It's architecture. Other apps promise not to misuse your data. Comma can't access it at all — the maths won't let us.
Architecture
How your data flows through Comma — step by step.
Every step is designed so your readable money data never leaves your device.
CSV Import
Your deviceYou export a CSV from your bank — a file on your computer. Comma reads it inside your browser. The raw data never leaves your machine.
✓ File read inside your browser — never uploaded as plain text
✓ Auto-detection of 56 bank formats across 5 countries
✓ Parsed, categorised, and shown entirely on your device
Encryption in your browser
Your deviceArgon2id derives an authentication token and a wrapping key from your password — entirely in your browser. The data encryption key (DEK) is generated on your device and wrapped with the wrapping key. Only the wrapped DEK and the auth token leave your browser. Your password itself never reaches our servers, in any form.
✓ Argon2id (memory-hard) for password-derived keys — 32 MiB memory per attempt
✓ AES-256-GCM data encryption — authenticated, tamper detection
✓ AES-KW wrapped data key — server stores only the wrapped form
✓ Auth token bcrypt-hashed (cost-12) before storage — defence in depth
✓ Verified by an end-to-end CI test that asserts no plaintext password ever appears in any auth-related network request
Supabase Storage
ServerYour encrypted data is stored on Supabase, a managed database service hosted in Sydney. Each account can only access its own data. We can see the data is there — we can't read what's inside.
✓ SOC 2 Type II compliant infrastructure
✓ Each user's data fully isolated at the database level
✓ Sydney region — data stays in Australia
Stripe Payments
SeparateStripe handles every payment. Your card details never touch our servers. Payment information is kept completely separate from your money data.
✓ PCI DSS Level 1 — highest level of payment security
✓ Zero overlap with your financial transaction data
Vercel Hosting
EdgeThe marketing site and app are deployed on Vercel's edge network with Sydney as the primary region. Cookie-free analytics only — no tracking pixels, no fingerprinting.
✓ Edge network — fast global delivery, Sydney primary
✓ Cookie-free analytics — no tracking cookies or fingerprinting
✓ No server-side processing of financial data
AI Providers
OptionalBring your own API key for Claude, ChatGPT, or Gemini. Your browser talks directly to the provider you chose — Comma is never in the middle. Your prompts, your responses, and your key never touch our servers.
✓ Your browser talks directly to the AI provider — no Comma proxy
✓ API key stays on your device — never synced to our servers
No hand-waving
What our infrastructure can see.
Your password and encryption keys never reach our servers. Your transaction content stays encrypted. But we still want to be specific about the metadata we do see — because it isn't nothing, and pretending otherwise would be dishonest.
Account
Your email address
For login lookup, account management, and support correspondence.
Account
Signup date and account status
The fact that you have an account, when you created it, and which tier you're on.
Sync
Size and timing of encrypted uploads
We can see that you uploaded an encrypted blob of N kilobytes at a particular time. We can't see what's inside it.
Payment
Payment metadata via Stripe
Transaction amount, date, and last four digits of your card — required for refunds and customer service. Full card details never touch our servers.
Security
IP address at login
For abuse prevention, rate limiting, and unusual-login alerts.
Support
Anything you send us
Support correspondence you send via email or our contact form is stored so we can reply and resolve issues.
What we can't see: your password, your encryption keys, and the actual financial content. Your transactions, categories, goals, account names, balances, and net worth history are encrypted with a key derived from your password. Without that password — which never reaches us — the data is computationally infeasible to decrypt.
Real questions
The questions worth asking before you trust any app with your finances.
Don't take our word for it. Ask these of every finance app.
Scenario
What if Comma is breached?
An attacker gets encrypted files — scrambled data that can't realistically be unscrambled without your password. There is no master key, no backdoor, no admin panel. The architecture makes a data breach a non-event for your financial privacy.
Scenario
What if I forget my password?
We cannot recover your data. That's the point. If we could recover it, so could an attacker. Free tier data lives in your browser. Pro tier encrypted data requires your password — always.
Scenario
What if someone steals my laptop?
Free tier data lives in your browser, protected by your operating system login. Pro tier data requires your Comma password to unlock — even with full access to the browser, the encrypted files are unreadable without it.
Scenario
Can Comma employees read my data?
Not your transaction content. Your password and encryption keys never reach our servers — they stay in your browser, derived locally with Argon2id. The server stores encrypted blobs and a bcrypt hash of an authentication token. Staff CAN see metadata (email, signup date, sync timing) — see "What our infrastructure can see" above. The financial content stays encrypted.
Scenario
What about the AI feature?
AI requests go from your browser directly to your chosen provider (Anthropic, OpenAI, or Google). Comma's servers never see this data. You choose the provider, bring your own API key, and can disable the feature entirely.
Scenario
Can a government demand my data?
They can demand what we have — encrypted files. We cannot comply with a request to produce readable financial data because we don't hold the keys. We'd hand over scrambled data. They'd need your password.
Our commitments
What we never do.
Not "we try not to" — never. These are design decisions, not policies.
Never connect to your bank. CSV only. No open banking, no credentials — ever.
Never store readable transactions. Only encrypted files. Your readable data never leaves your device.
Never sell, share, or monetise your data. Revenue comes from software sales — one-time purchases.
Never run ads. No advertisers, no sponsored categories, no "partner" offers.
Never use tracking cookies. Cookie-free analytics only. No fingerprinting.
Never log AI conversations. Your browser talks directly to the provider you chose — Comma sees nothing.
Never store your AI API key on our servers. It stays in your browser only.
Never hand over readable data — even when compelled. Law enforcement requests get encrypted blobs. We couldn't decrypt them for anyone.
Don't trust our claims. Verify our architecture.
Every layer of Comma's security is documented on this page — from how we read your CSV to the exact protocol used at sign-up, sign-in, and password change. No black boxes. If you're a security researcher, we welcome the conversation.
Responsible disclosure welcome
Why trust Comma
Trust signals.
Transparent Architecture
Every encryption decision documented. Industry-standard cryptography — Argon2id for password-derived keys, AES-256-GCM for data, AES-KW for key wrapping, bcrypt for the auth token. No proprietary black boxes.
Built & used daily
Built to solve the founder's own problem. Used on real finances since 2025. 2,460 merchant patterns. 50+ categories. 56 bank formats.
Australian entity
Registered with ASIC. Subject to the Australian Privacy Act. Database in Sydney. Serving 5 countries.
ABN 21 696 227 746
Ready to take control of your finances — privately?
Sign up free. No bank connection. CSV in, dashboard out — in under a minute.