FFFFinance

Appearance

Security Policy

Last updated: March 2026

Security is not an afterthought at FFFFinance — it is a core design constraint. This page describes how the app protects your financial data, how we handle vulnerability reports, and what you can expect from us when something goes wrong.

Responsible Disclosure

If you discover a security vulnerability in FFFFinance, please report it privately before disclosing it publicly. We take all reports seriously and will respond promptly.

How to report:

What to include:

  • Description of the vulnerability and potential impact
  • Steps to reproduce (proof of concept if possible)
  • Affected versions
  • Any suggested mitigations

What to expect from us:

TimeframeAction
Within 48 hoursAcknowledgement of your report
Within 7 daysInitial assessment and severity rating
Within 30 daysFix released or mitigations communicated
After fix shipsCredit in CHANGELOG (if you want it)

We ask that you give us a reasonable window to fix the issue before any public disclosure. We will never pursue legal action against good-faith security researchers.

Security Architecture

Local-First by Default

FFFFinance is designed so that no financial data ever leaves your device unless you explicitly enable cloud sync. The app runs entirely locally:

  • SQLite database lives on your machine at ~/.local/share/FFFFinance/finance.db (Linux) or equivalent OS path
  • The app's backend handles all database access — the user interface can only read and write data through a secure internal bridge
  • Network access from the user interface is disabled by default

Content Security Policy

The app enforces a strict Content Security Policy (CSP) that controls which resources can be loaded. In practice this means:

  • No external scripts can be injected into the app
  • No inline scripts are permitted -- all code must come from the app itself
  • Network requests are limited to only the services FFFFinance needs (Akahu and Cloudflare)

Desktop App Security Hardening

The desktop app follows industry security best practices:

ProtectionWhat it means
Context isolationThe user interface and the app's internal engine run in completely separate environments
SandboxingThe user interface runs inside an operating system sandbox with limited permissions
No direct system accessThe user interface cannot access files, system commands, or other apps directly
Same-origin policyOnly requests to approved domains (like Akahu) are allowed
HTTPS onlyAll external connections require secure encryption
No experimental featuresOnly stable, well-tested technologies are used

The user interface can only interact with your data through a tightly controlled set of approved operations -- it has no ability to access arbitrary files or system resources.

Data Encryption

Local Storage

The SQLite database is stored on your local filesystem using standard OS-level file permissions. We recommend:

  • Enabling full-disk encryption on your machine (BitLocker on Windows, FileVault on macOS, LUKS on Linux)
  • Using a strong login password for your user account

A future release will add optional database-level encryption for an additional layer of protection.

Cloud Sync (Optional)

When cloud sync is enabled (Pro and Cloud tiers), data is encrypted in transit and at rest:

  • In transit: All communication with the cloud server uses TLS 1.3 encryption
  • At rest: Cloud data is encrypted using AES-256 (the same standard used by banks)
  • Authentication: API requests are authenticated with a per-user API key, never a shared secret
  • Scope: Only the tables you choose to sync are sent — raw Akahu tokens are never synced to the cloud

Cloud sync is opt-in and can be disabled at any time from Settings. Disabling sync does not delete your cloud data automatically — use Settings → Cloud → Delete cloud data for that.

Akahu Connection Security

FFFFinance connects to your NZ bank accounts via Akahu, a licensed open banking aggregator regulated under New Zealand law.

  • No bank credentials stored: You authorise Akahu through a secure login page in your browser. FFFFinance never sees your bank username or password.
  • Access tokens: Akahu issues a secure access token, which is stored encrypted in your local database. It is never transmitted anywhere except to api.akahu.io.
  • Token scope: Tokens are read-only by default. No write or payment access is requested.
  • TLS: All requests to api.akahu.io are made over HTTPS/TLS 1.3. Certificate pinning (an extra check that verifies the server's identity certificate) is planned for a future release.
  • Revocation: You can revoke FFFFinance's access at any time through your Akahu account settings, independently of the app.

AI Data Handling

Local Inference (Default)

The AI assistant "Freddy" can run entirely on your device. Your financial data is processed locally:

  • No prompts or financial data are sent to any server
  • AI models are downloaded once and stored on your machine
  • Your GPU is used for faster processing when available, otherwise the CPU is used

Cloud AI Fallback (Opt-In)

If you enable the cloud AI tier in Settings, complex queries may be routed to Anthropic or OpenAI APIs:

  • You must explicitly opt in — this is not enabled by default
  • When enabled, query text (not your raw transaction data) is sent to the chosen provider
  • Each provider's privacy policy applies to data they receive
  • The cloud tier uses your own API key, stored locally — MegaSuperSoft does not proxy or log these requests

You can see how each query was processed by checking the badge on Freddy's reply.

Software Updates

  • All software components are version-locked and automatically scanned for known security issues on every build
  • The app is self-contained -- it does not download additional code at runtime
  • The underlying framework is updated regularly to include the latest security patches
  • Builds are automatically blocked if high-severity vulnerabilities are detected

Known Limitations

  • macOS: The app is currently signed for development only, not with a full Apple Developer ID certificate. You may see a Gatekeeper warning on first launch -- this is safe to bypass. A full certificate is on the roadmap.
  • Windows: The app is currently unsigned. Windows SmartScreen may show a warning on first run -- this is safe to bypass.
  • Database encryption: Not yet implemented. We recommend enabling full-disk encryption on your device (see above) as the current protection.

Contact

Security issues: hello@megasupersoft.com General: ffffinance.org GitHub: github.com/megasupersoft/FFFFinance