Your data is yours. Your ideas are yours. We built every layer of Uprealm around that principle — not as a feature, but as the foundation.
AES-256-GCM · PBKDF2 · Per-Member Keys
Your sensitive financial data — merchant names, account identifiers, institution details — is encrypted in your browser before it ever reaches our servers. We use AES-256-GCM, the same encryption standard trusted by financial institutions and government agencies worldwide.
Each member has a unique encryption key derived from their authentication credentials. This key exists only in your browser session and is never transmitted, stored, or accessible to anyone — including us. When you close your browser, the key is gone.
What this means: Even with full access to our database, no one — not our team, not a potential attacker — can read your personal financial information. They would see only encrypted data with no means to decrypt it.
How your data flows
Your Bank
Financial institution
TLS 1.3
Plaid
Secure bridge
API
Your Browser
Data arrives here
AES-256-GCM Encryption
Your unique key · Generated in browser · Never transmitted
Encrypted Data
Unreadable cipher text
HTTPS
Our Servers
Store only cipher text
HTTPS
Your Browser
Decrypted with your key
We Can't See Your Data — By Design
This isn't a policy decision — it's an architectural one. We deliberately designed our systems so that we do not have the ability to view your personal financial data. No employee, no system, no process within Uprealm can access the content of your encrypted information.
Your financial data is stored in a dedicated, isolated environment that is physically separated from our internal operations. Administrative credentials for this environment exist only in the production runtime — they are not stored in our development systems, internal tools, or anywhere accessible to our team.
Member-to-Member · Member-to-Staff
Every member's data exists in complete isolation, enforced at the database level. Row-level security policies ensure that your authenticated session can only access your own data. This is not application logic that could be bypassed — it is a database-level architectural constraint that applies to every query, every time.
No other member can see your data. No internal process can cross member boundaries. Each member's encrypted data is accessible only through their own authenticated, encrypted session.
Passwordless · TOTP · Invitation-Only
Access to Uprealm requires two independent verification factors. First, a magic link sent to your verified email — no passwords to steal, phish, or guess. Second, a time-based one-time password from your authenticator app, verified on every login.
Access is invitation-only. Only pre-approved email addresses can authenticate. There is no public registration, no self-signup, and no way to request access through the platform itself.
Plaid · Tokenized · Revocable
Bank connections are facilitated through Plaid, used by thousands of financial institutions worldwide. We never see, handle, or store your banking credentials. Plaid connects directly to your bank through their secure infrastructure.
Connection tokens are encrypted with a separate server-side encryption layer before storage. You can disconnect any financial account instantly through your dashboard, which immediately revokes access — we lose the ability to reach your financial institution the moment you disconnect.
Plaid · SOC 2 · SSAE 18 · Industry Standards
We build on infrastructure and partners that meet the highest compliance standards in the industry. Here is what underpins our security posture:
Plaid — Financial Data Infrastructure
All financial account connections are powered by Plaid, a financial data platform used by over 12,000 financial institutions including major banks, fintech companies, and investment platforms. Plaid maintains SOC 2 Type II and SSAE 18 compliance, undergoes regular third-party security audits, and is subject to financial regulatory oversight. Your banking credentials are handled exclusively by Plaid — we never see, transmit, or store them.
Database Infrastructure — Supabase
Our database layer runs on Supabase, built on PostgreSQL with SOC 2 Type II compliance, automated backups, point-in-time recovery, and encryption at rest via AES-256. Row-level security policies enforce data isolation at the database engine level — not at the application layer.
Application Infrastructure — Vercel
Our application platform maintains SOC 2 Type II compliance with edge deployment across a global network. All traffic is encrypted via TLS 1.3, with automatic certificate management and DDoS protection at the network edge.
Our Additional Measures
Beyond our providers' compliance, we implement additional security layers: application-level AES-256-GCM encryption for sensitive data, per-member encryption keys derived from authentication credentials, zero-knowledge architecture where we cannot access member financial data even with full database access, and comprehensive audit logging for all system operations.
SOC 2 · TLS · Zero Trust
Our infrastructure runs on enterprise-grade platforms with SOC 2 Type II compliance, automatic failover, and continuous monitoring. All data in transit is protected by TLS 1.3 encryption. All data at rest is encrypted at the infrastructure level — in addition to our application-level encryption.
We operate on a zero-trust model — no entity, internal or external, is trusted by default. Every request is authenticated, every connection is verified, and every action is logged. Our systems are designed to fail safely: if any component is compromised, the blast radius is contained.
Legal Protection From Day One
Every member relationship begins with a mutual NDA — legally binding protection for both parties before any information is exchanged. Your ideas, your business details, and your personal information are protected by law from the moment you join.
This is mutual by design. We hold ourselves to the same standard we ask of you.
Access · Export · Delete · Disconnect
You can disconnect financial accounts, export your data, or request complete deletion at any time. When you disconnect an account, access is revoked immediately. When you request deletion, all data is permanently removed within 30 days — encrypted data, metadata, everything.
We don't hold your data hostage. We don't make it difficult to leave. Your data is yours — always.
Security is not a checkbox for us. It is the reason people trust us with their ideas, their finances, and their ambitions. We invest in it continuously and hold ourselves to standards that exceed what most platforms offer.
We are committed to regular security assessments, including third-party penetration testing, to ensure our systems remain resilient against evolving threats. If you have security concerns or questions, we welcome them.
Contact us: hello@uprealm.io
Uprealm LLC · Los Angeles, California