powerhour

Security model

Security controls are designed into the data flow, agent access, and API surface — not added as an afterthought.

AES-256-GCM token encryption

Plaid access tokens are encrypted at rest using AES-256-GCM. Keys never leave the server environment.

Database-layer agent boundaries

Agent tool access is constrained through database views that exclude sensitive columns from AI context.

Layered rate limiting

Independent rate limits on login, chat, reports, and global API traffic prevent abuse at each surface.

Webhook signature verification

Plaid webhooks are verified with JWT signature and body-hash checks before any processing occurs.

Audit log for security events

Critical account and security events (login, token exchange, deletions) are recorded with IP and timestamp.

Deployer responsibilities

  • Serve the application over HTTPS with a valid TLS certificate.
  • Rotate SESSION_SECRET and Plaid credentials periodically.
  • Keep Node.js and npm dependencies up to date with security patches.
  • Restrict database network access to the application host only.