OwdynOwdynBETA
Public Beta

Owdyn is live — and it's free.

Sign up now and get full Wise access — every feature, no credit card, free for the entire beta.

No card required · Cancel anytime

Security at Owdyn

How we protect your financial data

Last updated: 14 March 2026

Our Security Approach

Encrypted connections

HTTPS/TLS for all data transmission

Secure authentication

Password hashing + OAuth + optional 2FA

Data isolation

Your data separated from other users

Encryption

Encryption in transit

All communication between your browser and Owdyn uses HTTPS with TLS 1.2+ encryption. This protects your data as it travels across the internet.

Encryption at rest

Your data is stored in a PostgreSQL database. Our database provider (Neon) implements AES-256 disk-level encryption at rest to protect stored data from unauthorized access.

Application-layer encryption

For the most sensitive fields, we go further — encrypting data within Owdyn itself using AES-256-GCM authenticated encryption before it is written to the database. This means even at the database layer, the values are unreadable without Owdyn's encryption key.

Fields protected by application-layer encryption:

  • Two-factor authentication (2FA) secrets — the TOTP seed used to verify your authenticator app codes
  • Bank OAuth access tokens — the credentials used to connect to your bank via Akahu (Plus and Wise)

Each encrypted value uses a fresh random IV (initialization vector) and includes a GCM authentication tag, which means any tampering is detected automatically.

Three layers of encryption: Your data is protected in transit (TLS), at rest (AES-256 disk), and at the application layer (AES-256-GCM) for the most sensitive fields.

Authentication & Access

How you sign in

  • Email & Password: Your password is hashed using bcrypt (not stored in plain text)
  • Google OAuth: Sign in with your Google account (we never see your Google password)
  • Two-Factor Authentication (2FA): Optional extra security layer you can enable in Settings

Session management

  • Secure session tokens with 24-hour expiration
  • Trusted device management (30 days) to reduce 2FA prompts on your regular devices
  • Manual logout available at any time
  • Session invalidation on logout

Rate limiting

Authentication endpoints are rate-limited to protect your account from brute-force attacks. Excessive failed login or 2FA attempts are automatically blocked for a cooldown period. Rate limits are enforced via Upstash Redis and apply globally across all devices and IPs.

Your security is a shared responsibility

Use a strong, unique password. Enable 2FA in Settings for extra protection. Keep your email account secure—if someone accesses your email, they can reset your Owdyn password.

Data Storage & Access

Where your data lives

Owdyn is hosted on Vercel with database on Neon (PostgreSQL). Your data is stored in the AWS Sydney region (Australia).

Data isolation

All database queries are filtered by your user ID. This means you can only access your own accounts, transactions, and budgets—never another user's data. Data isolation is enforced at the application level.

SQL injection protection

We use Prisma ORM which uses parameterized queries to prevent SQL injection attacks. This protects against malicious database queries.

Credential management

Database credentials and API keys are stored as environment variables (not in code). When deployed to Vercel, these are encrypted and secured by the hosting platform.

AI Features & Third-Party Data Processing

When you use AI features (like category suggestions or spending insights), Owdyn sends relevant data to Anthropic's Claude API to generate outputs.

What data is sent to Anthropic:

  • Transaction descriptions — sanitised first (emails, phone numbers, card/account numbers, and IRD numbers are stripped before sending)
  • Transaction amounts and income/expense type
  • Available category names (as options for the AI to choose from)
  • Aggregated spending summaries (for insights, only when requested)

What is NOT sent:

  • Your email address or password
  • Payment information (credit card, bank details)
  • Personal identification documents
  • Transaction dates
  • Other users' data

How it's transmitted: All API requests use encrypted HTTPS connections (TLS 1.2+).

Anthropic's data handling: According to Anthropic's Data Processing Addendum:

  • Data is processed only to generate AI responses for you
  • Data is NOT used to train AI models
  • Data is NOT retained long-term on their servers
  • Data is deleted per the retention schedule in their Data Processing Addendum

Subprocessors: Anthropic uses additional service providers to deliver AI services. View the current list at anthropic.com/subprocessors

You control AI usage

  • • All AI features are optional—manual entry is always available
  • • AI suggestions require your confirmation before being applied
  • • You can dismiss any AI-generated insight
  • • If you don't use AI features, no data is sent to Anthropic

Review Anthropic's policies: Anthropic Privacy Policy | Data Processing Addendum

Third-Party Security Certifications

We work with service providers that meet industry security standards and undergo regular independent audits.

Anthropic (AI Provider)

  • SOC 2 Type 2 certified (audited annually by independent third parties)
  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • Multi-factor authentication (MFA) for all employee access
  • Annual penetration testing by external security assessors
  • 24/7 security monitoring with SIEM/SOAR tools
  • Role-based access control (RBAC) with least-privilege principles

View certifications: trust.anthropic.com

Stripe (Payment Processor)

  • PCI-DSS Level 1 certified (highest security standard for payment processing)
  • • Handles all payment data securely (we never see card numbers)
  • • Regular security audits and compliance checks
  • • Strong Customer Authentication (SCA) compliant

Vercel & Neon (Hosting/Database)

  • • Enterprise-grade infrastructure on AWS
  • • Encryption at rest and in transit
  • • Data hosted in AWS Sydney data center (Australia)
  • • DDoS protection and network security
  • • Automatic backups and disaster recovery

Note: While we carefully select security-certified providers, we recommend reviewing their current security practices if you have specific compliance requirements. Links to provider security pages are provided above.

Payment Security

All subscription payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor (the highest security standard for payment companies).

What this means for you:

  • • We never see your full credit card number
  • • Stripe handles all payment data securely
  • • We only store a Stripe customer ID (not your payment details)
  • • Payment information is encrypted end-to-end
  • • You can update payment methods through Stripe's secure customer portal

Security Incident Response

We take security incidents seriously and have procedures in place to respond quickly and transparently.

If a breach occurs

In the unlikely event of a security breach affecting your data, we will:

  • Investigate immediately to determine the scope and impact
  • Notify you as soon as reasonably practicable (as required by the NZ Privacy Act 2020) — we target within 72 hours where possible
  • Explain what happened: What data was affected, how it occurred, and what we're doing to fix it
  • Provide guidance on steps you should take to protect yourself
  • Report to the NZ Privacy Commissioner if the breach is likely to cause serious harm, as required by Part 6 of the Privacy Act 2020

If our AI provider has a breach

If Anthropic notifies us of a security breach affecting transaction data you submitted:

  • We'll notify you as soon as possible after we are made aware and have assessed the impact
  • We'll explain what transaction data may have been affected
  • We'll provide guidance on next steps

How to report security concerns

If you believe your account has been compromised or you've discovered a security vulnerability:

Email: support@owdyn.nz
Response time: Priority response within 24 hours

We encourage responsible disclosure and take all security reports seriously.

Important Clarifications

Owdyn is NOT a bank

We're a budgeting tool that helps you track your money. We don't hold, move, or manage your actual money. Your funds stay in your real bank accounts. We're not regulated by the Reserve Bank of New Zealand or other financial regulators.

No system is 100% secure

We continuously work to improve Owdyn's security and use industry-standard practices. However, no system can guarantee absolute security. This is why we recommend you also take security precautions: use strong unique passwords, enable 2FA, keep your email secure, and review your transactions regularly.

How You Can Stay Secure

Security is a partnership between Owdyn and you. Here's how you can protect your account:

✅ Do this

  • • Use a strong, unique password (12+ characters with mix of letters, numbers, symbols)
  • • Enable two-factor authentication (2FA) in Settings
  • • Keep your email account secure with a strong password and 2FA
  • • Log out when using shared or public devices
  • • Review your transactions regularly for unauthorized activity
  • • Update your password immediately if you think it's compromised
  • • Report suspicious activity to support@owdyn.nz

❌ Avoid this

  • • Sharing your password with anyone (including family)
  • • Reusing passwords from other websites or apps
  • • Clicking suspicious links in emails claiming to be from Owdyn
  • • Saving passwords in your browser (use a password manager instead)
  • • Using public Wi-Fi without a VPN
  • • Ignoring security notifications or update prompts
  • • Using simple or obvious passwords like "password123"

Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in Owdyn, we ask that you:

  • Report it to us privately at support@owdyn.nz before public disclosure
  • Include a description of the issue, steps to reproduce it, and the potential impact
  • Give us reasonable time (at least 30 days) to investigate and remediate before disclosing publicly
  • Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
  • Do not use the vulnerability for any purpose other than reporting to us

Our commitment to good-faith researchers: We will not take legal action against researchers who follow these guidelines and act in good faith. We'll acknowledge your report within 24 hours, keep you informed of our progress, and credit you in our acknowledgements if you wish.

Security Questions or Concerns?

Found a security issue? Have questions about how we protect your data? Contact us:

Contact: support@owdyn.nz

Legal entity: OWDYN LIMITED (trading as Owdyn)

NZBN: 9429053482907

Address: Auckland, New Zealand

Security reports are taken seriously and receive priority response within 24 hours.