Mise

Trust

Security

Mise reads your bank transactions. Here's how we protect them, and what we don't yet have. We aim to be specific.

How we handle your data

In transit

All traffic between you and Mise, and between Mise and our subprocessors (Supabase, Plaid, Anthropic, Stripe, Intuit, Resend, Vercel), runs over TLS 1.2 or newer. Certificates are managed by Vercel and Let’s Encrypt. We don’t allow downgrade.

At rest

Your data sits in a Supabase Postgres database with disk-level AES-256 encryption. Backups are encrypted with the same standard and stored in the same region (US-east).

On top of that, we encrypt the most sensitive secrets at the application layer before the database ever sees them:

  • Plaid access tokensare encrypted with AES-256-GCM using a key held in our serverless function environment, not in the database. A database-only compromise can’t yield a usable token.
  • QuickBooks OAuth tokens use the same envelope.

In the AI categorization step

When Mise asks Anthropic’s API to propose a category for a transaction, we send the transaction details (date, amount, merchant, description) plus your chart of accounts. The request runs over TLS. Per our agreement with Anthropic, your transaction data isn’t used to train Claude’s general models.

Access controls

  • Row-level security (RLS) is enabled on every table in our database. A query authenticated as Business A physically cannot return rows belonging to Business B.
  • Service-role access(the elevated database credential used by our serverless functions) lives only in server-side environment variables. It’s never sent to a browser.
  • MFA is required on every admin account that can touch production: Supabase, Vercel, Stripe, Intuit, Plaid, GitHub, our registrar, and our email provider.
  • Production access is limited to the founder today. As the team grows, every new operator will go through a documented access-review process.

Plaid and your bank

Mise never sees your banking password. Plaid handles bank authentication on a separate session and hands us back a token that only works for read-only transaction data — it cannot be used to move money, change account settings, or read anything else.

When you disconnect a bank in Mise, the underlying Plaid token is revoked immediately. Plaid stops syncing.

QuickBooks

Mise connects to QuickBooks Online via Intuit OAuth. The scope we request is the minimum needed: read accounts, write journal entries. We don’t read invoices, bills, customers, or vendor records.

Tokens expire on Intuit’s schedule and we refresh them in the background. You can revoke our access any time from your Intuit account settings — this disconnects Mise from QuickBooks instantly.

Authentication

Customer accounts use Supabase Auth. Passwords are hashed with bcrypt before storage. Sessions are HTTP-only cookies scoped to our app domain.

Two-factor authentication (TOTP via authenticator app) is self-serve in the product at /app/settings/account→ Two-factor authentication. We don’t require it by default; we recommend it for any account with QuickBooks or bank connections in production.

What we don’t have yet

We’re a pre-launch product. Things bookkeepers reviewing us for clients will ask about that we don’t have:

  • SOC 2 Type II.Not yet. The infrastructure (Supabase, Vercel, AWS underneath) is built on SOC 2-attested providers, but Mise itself hasn’t completed an independent audit. This is on the roadmap for the next 12 months. If a customer requires SOC 2 to evaluate us, email and we’ll discuss a timeline.
  • Third-party penetration test report.We haven’t commissioned one yet. As we onboard non-design-partner customers, we’ll engage a third-party security firm. Founding customers get the report when it lands.
  • ISO 27001 / HIPAA / PCI DSS.Not certified to any of these. PCI is moot — Stripe handles all card data, we never see it. The other two aren’t relevant to our customer base today; we’ll revisit if that changes.
  • Status page with uptime history. Currently we rely on email for incident communication. A public status page is on the roadmap.

If you find a security issue

Please report it to hello@miseencomptes.com with “security” in the subject line. We aim to acknowledge within one business day and respond with a plan within five.

We don’t yet have a formal bug-bounty program, but we appreciate responsible disclosure and will publicly credit researchers (with their permission) when fixes ship.

What you can do on your end

  • Pick a strong passwordand don’t reuse it. The signup form enforces 8 characters; we recommend 16+ from a password manager.
  • Use a unique email for your business accounting tools. If your personal email is breached on some other service, your bookkeeping stays out of it.
  • Review the access you’ve granted at Plaid and Intuit periodically. Both have account-level disconnect flows that revoke independently of Mise.
Last updated: June 6, 2026
Questions? hello@miseencomptes.com