How Ceibaro protects your data

Every company's data lives in its own isolated workspace using row-level security. No other organization can access your transactions, invoices, match history, or customer alias library. Isolation is enforced at the database layer, not just the application layer.

All data is encrypted in transit using TLS 1.2 or higher. API connections use HTTPS exclusively. Data at rest is encrypted using AES-256. Ceibaro is built on Supabase, which stores data in AWS infrastructure with enterprise-grade encryption.

Ceibaro does not store bank credentials and does not connect directly to your bank accounts. In the current version, you export a CSV from your bank and upload it. You control exactly what you share, and you can review the file before it goes in.

When direct bank connections are added in a future release, they will use read-only access through a regulated open banking provider. No transaction initiation, ever.

Every match decision is logged with the rule that fired it, the confidence score, and the user who approved it. No match posts without explicit user approval. The audit log is permanent and cannot be modified.

Ceibaro uses email and password authentication with optional Google and Microsoft OAuth sign-in. All sessions use secure, rotating tokens. Session tokens are never stored in localStorage.

Access is gated at the application layer. New accounts require approval before any data can be uploaded or accessed. All user actions are scoped to their company workspace only.