Your financial data is the most sensitive data you have. Here's how we protect it.
Your database runs on your machine. In the self-hosted version, no financial data ever leaves your device. There is no cloud we could breach because there is no cloud.
All bank connections go through Plaid using 256-bit AES encryption and TLS 1.2+. Worth never sees or stores your bank login credentials — Plaid handles authentication directly with your institution.
Your vault password is stored as a bcrypt hash with a cost factor of 10. Even if someone accessed your database file, the password cannot be reversed.
The AI Assistant receives only aggregated monthly summaries — never raw transactions, merchant names, or account numbers. Your conversation is sent to Anthropic's API with your own key; we never see it.
Plaid tokens, exchange API keys, and the Anthropic key are stored in .env.local (self-hosted) or encrypted at rest (Pro). They are never exposed to the browser or included in client-side bundles.
Every line of Worth's code is in your repository. You can audit the entire application, verify what data flows where, and modify anything you're uncomfortable with. No black boxes.