Security Overview
Last updated: April 10, 2026
We take security seriously. Here's how we protect your data.
Encryption
All data moving between you and us is encrypted using TLS. Your browser shows the lock icon — that's us. Database backups are encrypted. Sensitive data like banking credentials and payment tokens are encrypted at rest.
Infrastructure
Our applications run on modern cloud infrastructure with regular security patching, automated backups, and monitoring. We use established providers with their own physical security, redundancy, and compliance certifications.
Payment security
Credit card processing goes through Stripe, which is PCI Level 1 compliant — the highest level of certification in the payments industry. Card numbers never touch our servers.
Banking data security (Helm)
Bank account connections in Helm go through Teller, a regulated banking data provider. Your banking credentials are never stored on our servers. Teller handles the connection and authentication directly.
Access controls
We limit who can access production systems to the people who actually need to maintain them. We use strong authentication for all internal access. We don't look at your data unless you ask us to for support or we need to fix something broken — and we'll tell you about it when we do.
Monitoring
We monitor our systems for unusual activity and security threats. If something looks wrong, we investigate it immediately. We haven't had a data breach and we work hard to keep it that way.
Backups
Your data is backed up regularly. Backups are encrypted and stored separately from our production systems. If something catastrophic happens, we can restore from backups.
Reporting a security issue
If you've found a vulnerability or experienced a security incident with your account, email hello@turbopuffin.com right away. We'll respond as fast as we can.
If something bad does happen — and we'll do everything we can to prevent it — we'll notify affected customers immediately and be transparent about what happened, what data was involved, and what we're doing about it.