Security

Last updated July 4, 2026

Our approach

Hivemind reads sensitive financial information, so security is a first-class part of the product, not an afterthought. We collect the minimum data needed to power your intelligence, encrypt the most sensitive credentials with hardware-backed keys, request read-only access to your accounts, and give you direct control to disconnect or delete your data at any time. This page summarizes the safeguards in place; for the full data-handling detail, see our Privacy Policy.

Encryption at rest

The most sensitive secrets we hold — the access tokens Plaid issues for your connected institutions — are protected with KMS envelope encryption. A unique per-record data-encryption key (AES-256-GCM) encrypts each token, and that key is itself encrypted by a hardware-backed key managed by Google Cloud KMS. Decryption requires authorized service-account credentials, happens only at request time, is never cached in plaintext, and every decryption is audit-logged.

Encryption in transit

All communication between your browser or the app, our servers, and our third-party providers travels over HTTPS using TLS 1.2 or higher. We do not transmit account data over unencrypted channels.

Financial account access is read-only

We connect to your brokerage and investment accounts through Plaid with read-only access. Hivemind cannot initiate trades, transfers, withdrawals, or any other transaction on your accounts. We never receive your banking username, password, or MFA codes — Plaid authenticates directly with your institution and passes us only the resulting account, holdings, and transaction data. You can revoke access at any time from your Settings or directly at my.plaid.com.

Payments

We do not store your payment-card numbers. Web payments are processed by Stripe and in-app purchases are processed by Apple through your Apple ID. Card handling and PCI compliance are managed by those providers; we receive only your subscription status and billing metadata.

Authentication and access control

Accounts are authenticated through Clerk, which supports strong password requirements, social sign-in, Sign in with Apple, and multi-factor authentication. Internally, access to production systems and user data is restricted to the people who need it to operate the Service, under least-privilege service-account credentials, with sensitive operations audit-logged.

Infrastructure

The Service runs on Google Cloud Platform in the United States, using managed, access-controlled databases and key-management services. We rely on GCP's physical and network security for the underlying infrastructure and layer application-level controls on top.

Data retention and deletion

You are in control of your data. Disconnecting an institution calls Plaid's /item/remove endpoint and cascade-deletes the associated holdings, transactions, and access token. Deleting your account — available in the iOS app and on the web — removes your portfolio, preferences, cached briefs, and every connected institution. See the Privacy Policy for retention specifics.

Reporting a vulnerability

We welcome reports from the security community. If you believe you have found a security issue in Hivemind, please email security@hivemind.inc with details and, if possible, steps to reproduce. Please give us a reasonable window to investigate and remediate before public disclosure, and do not access or modify data that is not your own. We appreciate responsible disclosure and will acknowledge valid reports.

Contact

General security questions? Email team@hivemind.inc.