Security and data

Built for trust, without pretending risk is zero.

OpenFolio handles financial records, so the product is designed around user control, limited data collection, account-level separation, and clear incident response. This page explains the controls we use today and the choices you have as a user.

Last updated: 24 May 2026

You choose what to provide

OpenFolio can work from manual records, CSV uploads, or optional platform connections. The dashboard is only as complete as the data you choose to enter, import, or connect.

CSV first, connections optional

You can avoid direct connections entirely and use CSV imports instead. If you do connect a platform, we ask you to use the lowest-risk permissions available, preferably read-only access.

No trading or withdrawal control

OpenFolio is designed for tracking, reporting, and analysis. It is not designed to move money, place trades, or withdraw from connected platforms.

Data choices

What OpenFolio stores

OpenFolio stores the records needed to show your dashboard, imports, calculations, and account preferences. If you do not enter or import a category, OpenFolio does not know it.

  • Account email, display name, and authentication metadata
  • Portfolio records you add or import, such as trades, holdings, balances, dividends, assets, loans, and cash transactions
  • Import batch metadata, such as file source, import time, parser result, and undo history where supported
  • Optional connection metadata and encrypted credentials for supported direct integrations
  • Technical logs needed for security, debugging, fraud prevention, and service reliability

What we try not to collect

  • We do not ask for TFNs, bank login passwords, or card numbers in the portfolio dashboard
  • We do not sell portfolio records or use them for advertising profiles
  • We do not intentionally include sensitive financial values in transactional emails
  • We do not require direct platform connections to use the product

Controls

How we protect account data

Row-level security

User-facing database tables are designed around per-user ownership. Supabase row-level security policies help prevent one user from reading or writing another user's records.

Encrypted transport

Traffic is served over HTTPS. Database and infrastructure providers also use managed encryption controls for data at rest and in transit.

Restricted secrets

Server secrets are kept outside the browser in environment variables. Service-role credentials are reserved for trusted server-side workflows.

Optional connected data

Direct integrations are opt-in. You can revoke credentials at the platform or remove the connection in OpenFolio when you no longer want sync access.

No internet service can guarantee absolute security. We keep the public promise practical: use strong authentication, protect your email account, avoid uploading documents the app does not need, and revoke third-party credentials if you suspect risk.

Data protection

How we protect your data

  • Australian data residency: your data is stored in Australia (AWS Sydney) on managed Postgres.
  • Files are never stored: bank, broker and super statements are parsed in your browser — only the records you import are saved, not the documents.
  • Per-account isolation: row-level security scopes every record to your account, so users cannot access each other's data.
  • Encrypted in transit: all traffic is served over HTTPS with HSTS.
  • Least privilege: administrative database keys are used only on the server, never exposed to the browser.

Imports and connections

Direct connection is optional

CSV

Upload files when you want control over exactly what comes into OpenFolio.

API

Connect supported platforms only if you are comfortable with the requested access.

Manual

Enter approximate or selective records where precision is less important to you.

Your OpenFolio values are records you provide or connect. They may be incomplete, stale, estimated, duplicated, or wrong. Always compare important figures against official broker, bank, super fund, tax, and accountant records before making financial decisions.

Australian privacy

Privacy Act and breach response

How we think about privacy

OpenFolio is designed with Australian privacy expectations in mind, including data minimisation, access control, correction, deletion, and transparent notices. The formal details live in our Privacy and Data Policy and Terms.

If we suspect a serious security incident, we assess it, contain it, and notify users or regulators where required. Under the Notifiable Data Breaches scheme, assessment should be completed as quickly as practical and within the required 30 calendar day assessment period where it applies.

  • Investigate the issue and preserve relevant technical evidence
  • Contain risk by disabling affected features, rotating secrets, pausing imports, or invalidating sessions where needed
  • Assess whether personal information was involved and whether serious harm is likely
  • Notify affected users and regulators where required by Australian law, including the Notifiable Data Breaches scheme
  • Fix the root cause and review controls before restoring normal service

Operations

Emergency security actions

If we reasonably suspect compromise, misuse, credential exposure, legal risk, or a threat to users or the service, we may act quickly. That can include pausing imports, disabling integrations, invalidating sessions, rotating secrets, suspending affected accounts, limiting exports, or temporarily taking parts of the service offline while we investigate.

Disclosure

Report a security issue

If you believe you have found a vulnerability, email security@openfolio.com.au. Please include enough detail for us to reproduce the issue, avoid accessing other users' data, and avoid destructive testing. We aim to acknowledge good-faith reports promptly and prioritise fixes based on risk.