Security

Pluto runs on Amazon Web Services (AWS) in a private cloud environment. All public-facing traffic passes through Cloudflare before reaching our servers, providing DDoS mitigation, rate limiting, and TLS termination at the edge.

• Compute: API servers run on isolated EC2 instances managed by the PM2 process manager, with automatic restarts on failure and health monitoring.
• Database: PostgreSQL with automated daily backups, point-in-time recovery, and backups retained for 30 days.
• File storage: Receipt images, business logos, and export files are stored in AWS S3 with server-side AES-256 encryption and private bucket ACLs. Time-limited pre-signed URLs are used for all file access — no files are ever publicly accessible by default.
• Network: Cloudflare handles all public-facing traffic, masking our origin IP addresses and absorbing attack traffic. Rate limiting is applied at both the Cloudflare and application layers.

• In transit: All data between your device and Pluto's servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints — plain HTTP requests are rejected.
• At rest: Database storage and S3 file storage are encrypted at rest using AES-256.
• Sensitive fields: Fields containing especially sensitive data (e.g. Plaid access tokens, wage rates) are encrypted at the application layer in addition to disk-level encryption.
• Backups: Database backups are encrypted before being written to storage and stored in a separate AWS region from the primary data.
• API tokens: Firebase JWTs are verified server-side on every request using the Firebase Admin SDK. Tokens expire after 1 hour and are silently refreshed by the client. No long-lived API tokens are issued.

User authentication is managed by Firebase Authentication (Google), a widely audited, SOC 2 Type II-certified identity platform. We do not store or have access to your password at any point.

• Email/password sign-in with Firebase's secure credential storage and bcrypt hashing
• SMS two-factor authentication (2FA) — sessions are tied to a hashed, short-lived token stored server-side
• Face ID / biometric app lock available on the iOS mobile app
• Firebase ID tokens expire after 1 hour; the client silently refreshes them
• All API endpoints require a valid Firebase JWT — there are no unauthenticated routes to user data
• Rate limiting on authentication endpoints: 5 attempts per 15-minute window per IP

Pluto enforces the principle of least privilege through a five-tier role system. Every API request is scoped to the authenticated user's role, which is resolved from the database on each request — never from a client-supplied header or token claim.

• Employee — Can upload receipts and track their own trips and shifts. No access to other users' data or financials.
• Accountant — Read access to all business financial data for reporting purposes. Cannot modify team structure or billing.
• Manager — Can view and manage all team data, approve timesheets, and invite employees. No billing access.
• Owner — Full control including billing, team management, and all financial data.
• Admin — Reserved for authorised Pluto support operations only. Not assignable by customers.

All data is isolated at the database level by businessId. It is architecturally impossible for one business's data to appear in another business's API responses — every query is scoped to the authenticated business context.

Bank account connectivity is provided by Plaid, which is certified under PCI DSS and SOC 2 Type II. When you connect a bank account:

• You authenticate directly with your bank through Plaid's secure, sandboxed interface — your banking credentials are never transmitted to or seen by Pluto
• Pluto receives read-only transaction data (amounts, descriptions, dates) via Plaid's API
• Plaid access tokens are stored encrypted at the application layer and are used only to sync transactions on your behalf
• You can revoke Pluto's access to your bank at any time from Finance Settings, which immediately calls Plaid's item removal API and permanently revokes the access token

Subscription billing is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification available in the payments industry. Pluto never touches, stores, or transmits raw card numbers. Card data entered at checkout goes directly to Stripe's servers; only a non-sensitive Stripe payment token reaches our systems.

Receipt images are processed by a hybrid OCR pipeline using Google Cloud Vision and Tesseract, running in-process on our API servers:

• Images are transmitted over TLS to our API, then forwarded to Google Cloud Vision for text extraction
• Google does not retain receipt images beyond the duration of the API call
• Extracted text data (merchant, amount, date) is stored in our encrypted database
• The original image is stored in encrypted AWS S3 with private ACLs
• Deleting a receipt from the app permanently removes both the database record and the S3 object

Trip GPS data is collected on-device only during active recording sessions and uploaded to our API over TLS when the trip ends. We do not run passive background location tracking.

• Coordinates are stored as a sequence of lat/lon points linked to your trip record
• Location data is used only to render your route map and calculate trip distance
• GPS data is never shared with third parties or used for any purpose beyond your own trip records
• Deleting a trip permanently removes all associated GPS coordinates from our servers

We take a proactive approach to identifying and addressing security vulnerabilities:

• Dependencies: Application dependencies are regularly reviewed for known CVEs. Critical vulnerabilities are patched on an emergency basis; high-severity issues are addressed within 7 days of disclosure.
• Code review: All code changes go through peer review before deployment. Security-sensitive changes (authentication, billing, data access) receive additional scrutiny.
• Penetration testing: We periodically engage third-party security researchers to test our API and infrastructure. Findings are remediated before public disclosure.
• Infrastructure patching: OS and runtime patches are applied on a regular cadence. Critical security patches are applied as emergency updates.

• All API requests are logged with timestamp, endpoint, HTTP status, and anonymised user context — full request bodies containing financial data are never logged
• Failed authentication attempts are logged; repeated failures trigger rate limiting and alerting
• Error rates and server health are monitored continuously with automated alerting for anomalies
• Sentry is used for real-time crash reporting and error tracking — it does not receive financial data
• PM2 automatically restarts crashed services and logs crash reports for investigation

• Access to production infrastructure requires multi-factor authentication
• SSH access to production servers is restricted to authorised engineers only, with access logged and auditable
• Customer financial data is not accessed by Pluto staff except when necessary to investigate a reported issue, and only with appropriate authorisation
• All team members with access to sensitive systems complete security awareness training and sign confidentiality agreements
• Access is provisioned on a need-to-know basis and reviewed periodically

• PostgreSQL database is backed up daily with point-in-time recovery enabled
• Backups are retained for 30 days and stored in a separate AWS region from the primary database
• AWS S3 versioning is enabled on file storage buckets, protecting against accidental overwrites or deletion
• Restore procedures are tested periodically to verify backup integrity
• In the event of a major outage, our target recovery time objective (RTO) is 4 hours

We maintain a documented incident response process. In the event of a confirmed data breach or security incident affecting your personal or financial data:

• We will notify affected users within 72 hours of becoming aware of the breach — as required under PIPEDA and applicable law
• We will notify the Office of the Privacy Commissioner of Canada (and other relevant authorities) as required by law
• Our notification will include: what data was affected, how the incident occurred, what steps we are taking to contain and remediate it, and what you can do to protect yourself
• A post-incident summary will be published within 14 days describing root cause and corrective actions taken

Pluto uses the following third-party services (subprocessors) that may process your data on our behalf. Each is bound by a data processing agreement and holds appropriate security certifications:

• Amazon Web Services — cloud infrastructure (ISO 27001, SOC 2)
• Cloudflare — CDN and network security (SOC 2 Type II)
• Firebase / Google — authentication and push notifications (SOC 2 Type II)
• Google Cloud Vision — OCR processing (ISO 27001, SOC 2)
• Plaid — bank connectivity (PCI DSS, SOC 2 Type II)
• Stripe — payment processing (PCI DSS Level 1, SOC 2 Type II)
• SendGrid / Twilio — transactional email delivery (ISO 27001, SOC 2)
• Sentry — error monitoring (SOC 2 Type II)

We review our subprocessors periodically and will update this list when we add or remove a provider. If you have questions about a specific subprocessor, contact security@plutosuite.com.

We welcome reports from security researchers. If you discover a vulnerability in Pluto, please contact us privately before any public disclosure. We commit to:

• Acknowledging your report within 2 business days
• Keeping you informed of our investigation and remediation progress
• Not initiating legal action against researchers who act in good faith and follow responsible disclosure principles
• Crediting you in any public disclosure, if you wish

Please include in your report: a clear description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept. For sensitive reports, request our PGP key and we will provide it promptly.

For general security questions or concerns about how we protect your data: