Security
Security, explained.
The short version: by default, your core financial file stays on your computer — we don’t host it, upload it, or keep a copy. A few optional features you can switch on (AI categorization, the email inbox, phone access) send limited data off your machine; the Privacy page covers exactly what. Everything below is the architecture that makes the local-first default true.
Last updated: June 8, 2026
Local-first is the foundation
Every transaction, balance, holding, account name, and budget category lives in plain
files on your computer — by default at %LocalAppData%/GlidePath Money/.
The desktop app reads and writes those files directly. There is no central server
with a copy. No aggregator with credentials. No cloud database mirroring your financial files.
This is the deliberate cost and benefit of local-first: you carry the responsibility of backing up your DataFolder, and in exchange you carry the freedom of knowing exactly where your data lives. A short, specific list of things does leave — license checks, update pings, support, and any optional features you switch on — and the Privacy page spells out every one.
What’s encrypted, and how
| Surface | Protection | Why |
|---|---|---|
| Your data files (transactions, balances, holdings, invoices) | Plaintext by default; optional AES-256-GCM encryption at rest | Plain files you can open in Excel — or turn on encryption (Setup → Data security) when you’d rather have them locked on disk. See below. |
| License file on your disk | Encrypted with Windows DPAPI (per-machine, per-user) | License credentials can’t be lifted from your disk by another user on the same machine or by a stolen drive |
| App lock password (if enabled) | Argon2id-hashed; DPAPI-encrypted at rest | Argon2id is the modern KDF (memory-hard, resistant to GPU/ASIC cracking); DPAPI binds the hash to your Windows account |
| Tunnel traffic (phone access via your subdomain) | TLS to Cloudflare’s edge, then a tunnel back to your PC | Your tunnel runs through Cloudflare’s edge, so — like any reverse proxy — Cloudflare can technically see the request contents in transit there. We never store it, and your data folder always stays on your PC. |
| Browser-extension uploads (bank CSVs) | Posted straight from your browser to your local app on localhost — a connection to your own machine that never crosses the network (or through your own tunnel, if you started from your phone) | The bank CSV is captured by the extension on your machine and posted straight to your local app; it doesn’t go through our servers |
| Customer record (license key, email, subdomain, Cloudflare IDs) | Stored in Cloudflare D1 with access scoped to our provisioning Worker | The minimum needed to issue your license (and mark it inactive if the original purchase is refunded) + operate phone access. The same IDs are what we use to remove your subdomain and tunnel when your record is deleted — after a refund or termination, or on request |
Encrypting your data at rest (optional)
By default your data lives as plain files you can open in Excel — that’s the
local-first promise. If you’d rather have them locked on disk (so a stolen laptop or
another account on your PC can’t read them), turn on encryption in
Setup → Data security. Two modes:
- Automatic — your data is encrypted with a key held in your operating system’s keystore (Windows DPAPI / macOS Keychain) and unlocks when you’re signed in to your computer. Nothing extra to type. Protects against another account on the machine or a copied data folder.
- Passphrase — the strongest option. Your data is unreadable without a passphrase only you know (derived with Argon2id), even on a stolen, logged-in laptop. You enter it once each time you start the app. There is no recovery — if you lose the passphrase, the data can’t be decrypted, by design.
Either way it’s reversible, and you can export a plain copy any time — so you never lose the open-in-Excel benefit. Full-disk encryption (BitLocker / FileVault) remains a great whole-machine complement.
App lock
The app supports an optional password lock with auto-lock on idle. Set in
License > Lock. The password is hashed with Argon2id (memory cost,
time cost, and parallelism tuned for desktop hardware) and the resulting hash is
DPAPI-encrypted on your disk. Auto-lock kicks in after a configurable idle period; a
background heartbeat from active sessions keeps you signed in while you’re using
the app.
The Glide AI helper is sandboxed from your data
Glide AI is an optional Q&A panel powered by Claude Haiku (Anthropic). When you ask Glide a question, the request goes to our Worker proxy, which forwards it to Anthropic. We send Anthropic your question text and minimal context (the page you’re on, the current section). We do not send your transactions, balances, holdings, or any data from your DataFolder — the data isn’t available to the Worker; it lives on your computer.
Anthropic processes commercial API traffic per their privacy commitments and does not train on it. See the subprocessors page for full data flow details.
Holdings price refresh
When you refresh prices on the Holdings page, we proxy the lookup through a Cloudflare Worker we run. The Worker calls Yahoo Finance with the ticker symbols you hold and returns the prices. The benefit: Yahoo never sees your IP address, and you don’t need to install any third-party SDK. Only ticker symbols leave your box — never quantities, account names, or your identity.
How we handle TLS to our cloud endpoints
The desktop app makes a small number of HTTPS calls to
api.glidepathmoney.com: license verification, optional Glide AI questions,
optional ticker-price refresh, and customer-support feedback submissions. The app trusts
the operating system’s root certificate store to validate those connections —
the same trust store your browser uses for every other site you visit.
We do not pin a specific TLS certificate or public key in the app. The deliberate tradeoff: cert pinning would defeat a corporate or campus proxy that intercepts TLS to inspect traffic (a real but uncommon scenario), but it would also break the app every time we rotate our certificate — and it would lock out customers whose employer-managed laptops cannot reach the internet except through that same proxy. Given local-first architecture, the data exposed to a corporate proxy on our endpoints is small (license key, the text of any AI question you ask, the ticker symbols you hold) and never includes your transactions, balances, account names, or any data from your DataFolder. We judge the operational and accessibility costs of pinning to outweigh the marginal protection it would add over the OS trust store.
If you are on a managed device where TLS inspection is in effect, your IT team can already see this traffic the same way they can see your traffic to GitHub, Slack, or any other SaaS — that’s an artifact of the network you’re on, not of how we’ve built the app. If this is unacceptable for your use case, the local-first deployment supports running entirely on a personal device with no corporate proxy in the path.
Backups are your responsibility
Because your data is on your PC and not in our cloud, you carry backup responsibility. The app ships with an opt-in local auto-backup to a folder you choose; you should also keep an external or cloud backup of your DataFolder (any cloud sync tool you already use works — Dropbox, OneDrive, iCloud, a NAS, etc.). If your PC fails, your data goes with it; we don’t have a copy.
Open-source dependencies and update cadence
GlidePath Money is built on a small, audited set of open-source libraries: ClosedXML, CsvHelper, Argon2 (Konscious), Markdig, PdfPig, and the standard .NET runtime. Full list at /third-party-notices. Library updates ship with each app update during your maintenance window; we monitor disclosed CVEs and patch promptly when one affects a library we use.
Vulnerability disclosure
Found something? Please email [email protected]. We aim to acknowledge reports within two business days and to publish a fix or a remediation plan within 30 days for confirmed issues (longer for complex problems, with regular updates). We do not currently run a paid bug bounty program, but we will publicly credit researchers who report meaningful issues. See /.well-known/security.txt for the machine-readable disclosure policy.
What this page doesn’t cover
This is an overview, not a complete threat model. We do not publish penetration-test reports; we do not hold SOC 2 or ISO 27001 attestations (those frameworks are designed for enterprises that hold customer data — we don’t). For specific security questions before purchase, email [email protected] and we will answer directly.
Related pages
- Privacy Policy — what we do and don’t collect
- Subprocessors — vendors we use and what they touch
- Third-Party Notices — open-source attributions
- security.txt — machine-readable disclosure policy