Bank-grade security
meets Swiss precision.
wlthy is built in Switzerland — a country whose entire financial reputation rests on discretion, precision and uncompromising data protection. We've engineered the platform to honour that heritage at every layer.
Swiss engineering
Built and operated by a small senior team. Every line of code is reviewed; every release is auditable.
Swiss quality
Predictability over novelty. We ship slowly, test obsessively and keep the surface narrow on purpose.
Uncompromising privacy
We don't sell data. We don't run ads. The product is paid by users, not by their information.
How your data stays yours
Four pillars. No compromises.
Every architectural decision starts with a simple question: does this expose the user's wealth? If the answer is anything but a clean "no", we don't ship it.
Per-record document encryption at rest
Sensitive client material — uploaded statements, contracts and personal documents — is encrypted on a per-record basis with versioned keys. Keys are rotated without re-encrypting your data, and key access is scoped to least-privilege production workflows, never to engineering laptops.
- AES-128-CBC + HMAC-SHA256 (Fernet) on document content
- Per-account key derivation with versioned dispatch
- TLS 1.2+ in transit; HSTS preloaded for two years
- Refresh tokens are httpOnly cookies; access tokens stay in memory (XSS-safe)
- Database column-level encryption for the most sensitive fields
Read-only connections
wlthy never moves money. Bank, brokerage, exchange and AI-agent (MCP / API) surfaces are strictly one-way: prices, balances and agent reads flow in, nothing flows out. No payment instruction the platform can issue, ever.
- No payment-initiation scopes, on any integration
- Exchange + price feeds via Stooq, CoinGecko and the ECB
- Direct on-chain reads — no custodial action possible
- MCP / API tokens are read-only, scoped, audit-logged, revocable in one click (Black)
- Integration tokens are scoped, rotatable and revocable in one click
Strict privacy policy (Swiss standard)
Your data is yours. We don't monetise it, we don't share it with brokers, and we treat data-deletion requests as a serious obligation, not a feature toggle.
- Zero ad tech, zero behavioural tracking, zero data sale
- GDPR-aligned data subject rights (access, portability, erasure)
- Append-only audit log with cryptographic integrity
- Redundant immutable audit log storage with TLS in transit + at-rest encryption, 365-day retention
- Strict data-residency commitments under enterprise engagements
Infrastructure & audits
Hosted on hardened EU infrastructure with continuous monitoring, staged deploys and an explicit incident-response runbook. Penetration testing is part of the rhythm, not a one-off photo opportunity.
- EU-region cloud hosting, encrypted-at-rest backups
- HSTS preload, strict CSP, frame-ancestors none
- Daily encrypted Postgres backups with point-in-time recovery
- Recurring third-party penetration testing & vulnerability scans
Engineering specifics
Defence in depth, made auditable.
Most of our security work is invisible by design — but here's what runs underneath if you want to know.
Transport
TLS 1.2+ everywhere, HSTS preloaded for two years (browser refuses plain HTTP), HTTP/2 + HTTP/3 enabled.
Identity
Argon2id password hashing, optional TOTP 2FA, device-bound refresh tokens with explicit logout.
Authorisation
Per-account row scoping enforced at the query layer — a misrouted request can't leak another client's data.
AI Import lifecycle
Uploaded documents encrypted at rest on receipt, parsed via Anthropic under enterprise terms (no model training), wiped from the ingestion store after confirm or on parse failure. Audit-log entry stays.
MCP tokens (Black)
Read-only by default, scoped per token, revocable in one click from Settings → API. Every Claude / ChatGPT call recorded on the append-only audit log with tool name + timestamp.
Headers
Strict CSP allow-listing only Stripe and our own origin, X-Frame-Options DENY, no Server header advertised.
Pipelines
Every PR runs pip-audit, npm audit, Trivy and gitleaks. A vulnerable dependency or leaked secret blocks the merge.
Recovery
Daily encrypted backups, hourly WAL archiving, restore drills exercised on every release branch.
Responsible disclosure
Found something? We'll listen.
Security researchers are partners, not adversaries. Reach the security team through our contact form — we triage every report and respond within one business day.