-
Notifications
You must be signed in to change notification settings - Fork 3.2k
Maybe App Security
At Maybe, we place a high priority on making the app secure and transparent. Our codebase is fully open-source and is auditable by anyone. This document outlines some of the most important areas of security you need to know about before using the Maybe app.
The Maybe app can be run in "self hosted" mode or "managed" mode:
- Managed - the company, Maybe Finance Inc. operates the servers and database and provide a SaaS product for users to interact with
- Self hosted - the user fully controls the server and database and is 100% responsible for securing their own infrastructure
The remainder of this guide is largely applicable to hosted mode
We host our servers and database on Render, and use Cloudflare to mitigate network related security threats.
Render provides:
- SOC 2 Type II compliance with regular independent security audits
- Isolated environments with strict network boundaries
- Automatic DDoS protection for all applications
- Regular security updates and patches
Learn more about Render's security practices on their Security and Trust Page
Cloudflare adds additional security:
- Web Application Firewall (WAF) to protect against common attacks
- DDoS protection at the network level
- SSL/TLS encryption for all traffic
- Rate limiting to prevent abuse
Learn more about what security features Cloudflare offers
At time of writing, the only bank data provider we use is Plaid.
Plaid security features:
- Uses best-in-class encryption (AES-256 and TLS) for all data
- Provides multi-factor authentication for account connections
- Maintains SOC 2 Type 2 and ISO 27001/27701 certifications
- Never sells or rents your financial data to third parties
For more details on Plaid's security practices, visit their Trust and Safety page.
- All data is encrypted at rest on our servers
- Secure connections (HTTPS) protect your data in transit
- Plaid provides end-to-end encryption for financial data
- User passwords and access tokens are securely encrypted in the DB
Maybe offers two-factor authentication (2FA) for additional account security:
- Compatible with standard authenticator apps like Google Authenticator or Authy
- Backup codes provided for emergency access if you lose your device
- Simple setup with QR code scanning
- Can be enabled or disabled from your security settings
We strongly recommend enabling 2FA for all accounts.
We implement several measures to protect your account:
- Secure password reset process
- Email verification for account changes
- Session management to protect against unauthorized access
- Role-based access controls for family members
This section outlines how and what data the Maybe Finance Inc. internal support team can access.
Note: If you are self-hosting Maybe, you own your data. Nobody else can access it.
Production access is limited to Maybe Finance Inc. employees:
- Access is only granted to employees assisting with error resolution and customer support
- Access is limited to the minimal amount of information required
Production data is accessed only under the following scenarios:
- Resolving application errors - When our error monitoring service reports an error, the development team may access minimal and anonymous production data required to resolve the error. Most often, no data access is required.
- When a user opens a support request - If you open a support request, our team will access only the information needed to help you, and only with your explicit consent.
We continuously improve our security measures:
- Regular updates to address potential vulnerabilities
- Proactive monitoring for security threats
- Periodic security reviews of our codebase
- Transparent communication about security changes
For vulnerabilities to the application, researchers should use Github's Security Advisories feature to responsibly and privately disclose security issues with the Maybe app.
WIP Footer
WIP Sidebar