Appearance
Security Policy
Last updated: March 2026
Security is not an afterthought at FFFFinance — it is a core design constraint. This page describes how the app protects your financial data, how we handle vulnerability reports, and what you can expect from us when something goes wrong.
Responsible Disclosure
If you discover a security vulnerability in FFFFinance, please report it privately before disclosing it publicly. We take all reports seriously and will respond promptly.
How to report:
- Email: hello@megasupersoft.com with subject line
[SECURITY] - GitHub (non-sensitive): Open a Security Advisory on the repository
- PGP-encrypted reports are welcome — contact us first for our public key
What to include:
- Description of the vulnerability and potential impact
- Steps to reproduce (proof of concept if possible)
- Affected versions
- Any suggested mitigations
What to expect from us:
| Timeframe | Action |
|---|---|
| Within 48 hours | Acknowledgement of your report |
| Within 7 days | Initial assessment and severity rating |
| Within 30 days | Fix released or mitigations communicated |
| After fix ships | Credit in CHANGELOG (if you want it) |
We ask that you give us a reasonable window to fix the issue before any public disclosure. We will never pursue legal action against good-faith security researchers.
Security Architecture
Local-First by Default
FFFFinance is designed so that no financial data ever leaves your device unless you explicitly enable cloud sync. The app runs entirely locally:
- SQLite database lives on your machine at
~/.local/share/FFFFinance/finance.db(Linux) or equivalent OS path - The Electron main process handles all database access — the renderer (UI) can only read/write data via a sandboxed IPC bridge
- Network access from the renderer process is disabled by default
Content Security Policy
The Electron renderer window enforces a strict Content Security Policy:
default-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' data: https:;
connect-src 'self' https://api.akahu.io https://*.cloudflare.com;External scripts cannot be injected, and inline scripts are not permitted for app code.
Electron Security Hardening
The app is built with Electron's security best practices:
| Setting | Value | Why |
|---|---|---|
contextIsolation | true | Renderer and Node contexts are fully separated |
sandbox | true | Renderer runs in OS-level sandbox |
nodeIntegration | false | Renderer has no direct Node.js access |
webSecurity | true | Same-origin policy enforced |
allowRunningInsecureContent | false | HTTPS strictly required for external requests |
experimentalFeatures | false | No unstable Chromium features |
The contextBridge in preload.ts exposes only a whitelist of typed functions — there is no generic require() or fs access available to the UI layer.
Data Encryption
Local Storage
The SQLite database is stored on your local filesystem using standard OS-level file permissions. We recommend:
- Enabling full-disk encryption on your machine (BitLocker on Windows, FileVault on macOS, LUKS on Linux)
- Using a strong login password for your user account
A future release will add optional SQLite-level encryption via sqlcipher for an additional layer of protection.
Cloud Sync (Optional)
When cloud sync is enabled (Pro and Cloud tiers), data is encrypted in transit and at rest:
- In transit: All communication with the Cloudflare Worker uses TLS 1.3
- At rest: Data is stored in Cloudflare D1 (SQLite-compatible) — Cloudflare encrypts data at rest using AES-256
- Authentication: API requests are authenticated with a per-user API key, never a shared secret
- Scope: Only the tables you choose to sync are sent — raw Akahu tokens are never synced to the cloud
Cloud sync is opt-in and can be disabled at any time from Settings. Disabling sync does not delete your cloud data automatically — use Settings → Cloud → Delete cloud data for that.
Akahu Connection Security
FFFFinance connects to your NZ bank accounts via Akahu, a licensed open banking aggregator regulated under New Zealand law.
- No bank credentials stored: You authorise Akahu via their OAuth flow in a system browser window. FFFFinance never sees your bank username or password.
- Access tokens: Akahu issues a user access token, which is stored encrypted in your local SQLite database. It is never transmitted anywhere except to
api.akahu.io. - Token scope: Tokens are read-only by default. No write or payment access is requested.
- TLS: All requests to
api.akahu.ioare made over HTTPS/TLS 1.3. Certificate pinning is planned for a future release. - Revocation: You can revoke FFFFinance's access at any time through your Akahu account settings, independently of the app.
AI Data Handling
Local Inference (Default)
The AI assistant "Freddy" runs models on your device using node-llama-cpp. Your financial data is processed entirely locally:
- No prompts or financial data are sent to any server
- Models are downloaded once and stored locally — typically under
~/.local/share/FFFFinance/models/ - GPU acceleration (CUDA/Vulkan/Metal) is used where available, falling back to CPU
Cloud AI Fallback (Opt-In)
If you enable the cloud AI tier in Settings, complex queries may be routed to Anthropic or OpenAI APIs:
- You must explicitly opt in — this is not enabled by default
- When enabled, query text (not your raw transaction data) is sent to the chosen provider
- Each provider's privacy policy applies to data they receive
- The cloud tier uses your own API key, stored locally — MegaSuperSoft does not proxy or log these requests
You can check which tier handled any query via the Freddy panel's debug mode.
Dependency Management
- Dependencies are pinned in
package-lock.jsonand audited withnpm auditon every CI build electron-builderproduces self-contained builds — no live dependency fetching at runtime- Electron is updated on a regular cadence to stay within the supported release window
- The GitHub Actions release workflow runs
npm audit --audit-level=highand will fail the build if high-severity vulnerabilities are found
Known Limitations
- The app is currently code-signed on macOS for development only, not with a Developer ID certificate. macOS users will see a Gatekeeper warning on first launch. A Developer ID certificate is on the roadmap.
- Windows builds are currently unsigned. SmartScreen may warn on first run.
- SQLite-level encryption is not yet implemented (filesystem encryption is the current mitigation).
Contact
Security issues: hello@megasupersoft.com General: ffffinance.org GitHub: github.com/megasupersoft/FFFFinance