Security

Pluto runs on Amazon Web Services (AWS) in a private cloud environment. All infrastructure is provisioned behind a Cloudflare network proxy, which provides DDoS protection, rate limiting, and TLS termination before traffic reaches our servers.

• Compute: API servers run in isolated EC2 instances managed by PM2 process manager, with automatic restarts on failure.
• Database: PostgreSQL with automated daily backups, point-in-time recovery, and backups retained for 30 days.
• File storage: Receipt images, business logos, and export files are stored in AWS S3 with server-side encryption (AES-256) and private bucket ACLs. Pre-signed URLs are used for time-limited access.
• CDN & proxy: Cloudflare handles all public-facing traffic, hiding our origin infrastructure and absorbing attack traffic before it reaches our servers.

• In transit: All data between your device and Pluto's servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints; plain HTTP is not accepted.
• At rest: Database storage and S3 file storage are encrypted at rest using AES-256.
• Backups: Database backups are encrypted before being written to storage.
• API tokens: Firebase JWTs are verified server-side on every request using the Firebase Admin SDK. Tokens are short-lived and automatically refreshed by the client.

User authentication is managed by Firebase Authentication (Google), a widely audited and SOC 2-certified identity platform. We do not store passwords ourselves.

• Email/password sign-in with Firebase's secure credential storage
• Phone number verification for added identity assurance
• Face ID / biometric lock (iOS) available for the mobile app
• Firebase ID tokens expire after 1 hour; the client silently refreshes them
• All API endpoints require a valid Firebase JWT — there are no anonymous or guest routes to protected data

Pluto uses a five-tier role system to enforce the principle of least privilege. Every API request is scoped to the authenticated user's role, which is always resolved from the database — never from a client-supplied header.

• Employee — Can upload receipts and track their own trips and shifts. No access to other users' data.
• Accountant — Read access to all financial data for reporting. Cannot modify team structure.
• Manager — Can view and manage all team data, approve timesheets, and invite employees.
• Owner — Full control including billing, team deletion, and inviting other owners/managers.
• Admin — Reserved for internal Pluto support operations only.

All multi-tenant data is isolated by businessId. It is architecturally impossible for one business's data to appear in another business's API responses.

Bank account connectivity is provided by Plaid, which is certified under PCI DSS and SOC 2 Type II. When you connect a bank account:

• You authenticate directly with your bank through Plaid's secure iframe — your banking credentials are never transmitted to or stored by Pluto
• Pluto receives read-only transaction data (amounts, descriptions, dates) via Plaid's API
• Plaid access tokens are stored encrypted and are used only to sync transactions
• You can revoke Pluto's access to your bank at any time from the Finance Settings screen, which immediately calls Plaid's item removal API

Receipt images are processed by a hybrid OCR pipeline using Google Cloud Vision and Tesseract. Processing happens on our infrastructure:

• Receipt images are transmitted over TLS to our OCR sidecar service
• Google Cloud Vision is invoked for handwriting and complex layout parsing; images are not stored by Google beyond the API call duration
• Processed text data (merchant, amount, date) is stored in our database; the original image is stored in encrypted S3
• You can delete any receipt from the app, which removes both the database record and the S3 object

Trip GPS data is collected on-device during active recording sessions and uploaded to our API over TLS when the trip is saved. Location data is:

• Only collected while an active trip is recording — we do not run background location tracking
• Stored as a sequence of latitude/longitude coordinates linked to your trip record
• Used to render your route map and calculate trip distance — not shared with third parties
• Permanently deleted when you delete the trip

• All API requests are logged with timestamp, endpoint, HTTP status, and anonymised user context — but never full request bodies containing financial data
• Failed authentication attempts are logged and can trigger account lockout
• Server health and error rates are monitored continuously; on-call alerting triggers for anomalous error rates
• PM2 process manager automatically restarts crashed services and logs crash reports

• Pluto employees with access to production infrastructure require multi-factor authentication
• Access to production databases is restricted to authorised engineers via audited SSH access
• Customer financial data is not accessed by Pluto staff except when required to investigate a reported issue, with the user's knowledge where possible
• All staff with access to sensitive systems complete security training and sign confidentiality agreements

• PostgreSQL database is backed up daily with point-in-time recovery enabled
• Backups are retained for 30 days and stored in a separate AWS region
• S3 file storage has versioning enabled, protecting against accidental deletion
• We perform regular restore tests to verify backup integrity

We have a documented incident response process. In the event of a confirmed data breach affecting your personal or financial data:

• We will notify affected users within 72 hours of becoming aware of the breach
• We will notify relevant regulatory authorities as required by applicable law
• We will provide a clear description of what data was affected, how it happened, and what steps we are taking
• A post-incident report will be published to our status page within 14 days

When Stripe payment processing is enabled, all card data is handled exclusively by Stripe, which is a PCI DSS Level 1 certified payment processor — the highest level of certification available. Pluto never touches, stores, or transmits raw card numbers. Stripe's tokenisation means only a non-sensitive Stripe token reaches our servers.

We welcome reports from security researchers. If you discover a vulnerability in Pluto, please contact us privately before disclosing it publicly. We commit to:

• Acknowledging your report within 2 business days
• Keeping you updated on our progress
• Not taking legal action against researchers who act in good faith and follow responsible disclosure principles
• Crediting you in any public disclosure (if you wish)

Please include: a description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code. Encrypt sensitive reports with our PGP key available on request.

For general security questions: