Security

Security is the foundation of Mr. Fino. We hold sensitive financial details about you, and we treat that responsibility seriously. This page summarises the controls in place today and where we're headed next.

Every connection between your browser, our servers and our database is encrypted with TLS 1.2+. The site is served exclusively over HTTPS; plain HTTP requests are upgraded automatically.

Account and assessment data lives in MongoDB Atlas with encryption at rest enabled at the storage layer. Backups inherit the same encryption.

We never store your password in plain text. Passwords are hashed with bcrypt using a cost factor of 12, which makes offline brute-force attacks impractical. Even our own engineers cannot read your password.

Authentication is handled by NextAuth using signed JSON Web Tokens delivered as HttpOnly, Secure cookies. The token is invisible to client-side JavaScript, which mitigates the impact of any XSS bug. We support email-based password reset with single-use, time-limited tokens.

Every API endpoint validates the request body against a strict Zod schema before any business logic runs. Dynamic route parameters that reference database records are validated as Mongo ObjectIds to prevent injection attacks.

Every authenticated request scopes its database queries to the signed-in user's ID. There is no admin endpoint exposed on the public surface, and direct database access is restricted to a small on-call rotation.

You can delete your assessments, personal details, or your entire account from /my/settings at any time. Deletion is permanent and removes data from primary storage immediately; encrypted backups are rotated out within 30 days.

Found a vulnerability? Please report it to security@mrfino.com before disclosing publicly. Include reproduction steps and any proof-of-concept code.

We aim to acknowledge reports within 48 hours and resolve verified critical issues within 14 days. We won't pursue legal action against good-faith researchers who follow this process.

• Two-factor authentication for all accounts.
• Annual third-party penetration test.
• Public security.txt and bug-bounty programme.

Security questions, audit requests or vendor questionnaires? Reach out — we're happy to help.