Your financial data is protected by architecture, not just policy
We didn't bolt security on after the fact. Every piece of Vectrly's architecture was designed from day one to ensure your financial data stays yours — isolated, encrypted, and never used to train AI models.
The AI never sees your raw financial data
When you hear “AI-powered finance tool,” your first question is probably: does the AI have access to my bank transactions, invoices, and client details?
With Vectrly, the answer is no.
Before any AI gets involved, Vectrly's server-side pipeline reads your accounting data and pre-calculates all the metrics — revenue trends, cash flow, margins, DSO, and more. Only these anonymized, aggregated metric summaries are then sent to the AI for interpretation — stripped of any company-identifying information.
The AI's job is to explain what the numbers mean in plain English and recommend what to do next. It never sees individual transactions, client names, invoice details, bank account numbers, or even your company name. This isn't a policy — it's how the system is built.
Raw transactions stay on our servers — only anonymized metric summaries reach the AI, with no company-identifying information
The AI explains numbers it didn't compute — your data is always grounded in deterministic calculations
Even if the AI provider were compromised, your raw financial data wouldn't be exposed
Your data is never used to train AI models
Vectrly uses the APIs from Anthropic (Claude), OpenAI, and Google (Gemini) to generate insights. All three providers have clear, published policies: data sent through their APIs is not used to train, improve, or fine-tune their models.
This means:
- Your metric summaries are processed and discarded — they don't become part of any AI training dataset
- No other company's queries will ever be influenced by your financial data
- Each API call is stateless — the AI doesn't "remember" your data between sessions
We also never sell, share, or monetize your data in any way. Your financial data exists for one purpose: to generate insights for you.
Anthropic (Claude)
API data is never used for model training. Retained for up to 30 days for safety, then permanently deleted.
View data policyOpenAI
Business API data is not used for training by default. Organizations are opted out of data sharing automatically.
View data policyGoogle (Gemini)
Paid API data is excluded from general model training. Content is not reviewed by humans without explicit permission.
View data policyYour data lives in its own isolated vault
Most SaaS platforms store all customer data in the same database tables and use software rules to keep it separated. If a bug slips through, data can leak between accounts.
Vectrly takes a different approach. Every customer account gets its own dedicated database schema — a completely separate section of the database with its own tables, its own boundaries, and its own access controls.
Even if every software rule in the application failed simultaneously, another customer's data would still be inaccessible because it literally doesn't exist in your schema. This is the same isolation model used by regulated industries like healthcare and banking.
Dedicated database schema per customer
Not just row-level filtering — each account has its own isolated set of tables within the database.
Cross-tenant access is architecturally impossible
Data separation is enforced by database architecture, not just application-level rules.
Independent data lifecycle
Your data can be independently audited, exported, or deleted without affecting any other account on the platform.
Encrypted at rest, encrypted in transit, controlled at every layer
OAuth-Only Connections
You log in directly with QuickBooks or Xero using their official authorization flow. Vectrly never sees or stores your accounting username or password.
AES-256-GCM Encryption
OAuth tokens and sensitive credentials are encrypted at rest using AES-256-GCM, the same standard used by major financial institutions. All data in transit is protected by TLS.
Role-Based Access + MFA
Every account supports multi-factor authentication (TOTP). Team access is controlled by roles — Admins and Viewers have different permissions, and all actions are logged in an audit trail.
Subprocessors & data residency
We believe in full transparency about who processes your data and where it lives. All Vectrly infrastructure and subprocessors are based in the United States.
| Service | Purpose | Data Accessed | Location |
|---|---|---|---|
| Anthropic (Claude) | AI insight generation (default provider) | Anonymized, pre-calculated metric summaries only | United States |
| OpenAI (GPT) | AI insight generation (alternative provider) | Anonymized, pre-calculated metric summaries only | United States |
| Google (Gemini) | AI insight generation (alternative provider) | Anonymized, pre-calculated metric summaries only | United States |
| Render | Application hosting, database, and cache infrastructure | All application data (encrypted at rest) | United States |
| Postmark | Email delivery for reports and notifications | Email addresses, report content | United States |
| Sentry | Error tracking and monitoring | Error logs (no financial data) | United States |
| Datadog | Application performance monitoring | Performance metrics (no financial data) | United States |
Ready to connect with confidence?
Join the invite-only beta. Your data is in safe hands.