Security at Mello

At Mello Inc., we handle financial data — and we take that responsibility seriously. Security is not an afterthought; it is built into every layer of how Mello is designed, deployed, and operated. This page describes the technical and organizational measures we have put in place to protect your data.

We are committed to transparency. If you have questions about anything described here, or if you believe you have found a security issue, please contact us at [email protected].

In transit: All communication between your browser and Mello's servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject unencrypted connections.

At rest: All data stored in Mello's database is encrypted at rest using AES-256, the industry-standard symmetric encryption algorithm used by financial institutions worldwide.

Plaid access tokens: Bank connection tokens obtained through Plaid receive an additional layer of application-level encryption using AES-256-GCM before being written to the database. This means even if the database were somehow accessed, the tokens would be unreadable without the separate encryption key.

Passwords: Mello uses Manus OAuth for authentication. We do not store passwords directly. Authentication is delegated to a hardened OAuth provider, eliminating an entire class of credential-related vulnerabilities.

Mello is hosted on enterprise-grade cloud infrastructure with the following properties:

• Network isolation: Database and backend services are not directly accessible from the public internet. All traffic routes through controlled ingress points.
• Automated patching: Operating system and runtime dependencies are kept up to date with security patches applied on a regular schedule.
• Redundancy: Critical services are designed with redundancy to prevent single points of failure and ensure availability.
• Backups: Database backups are performed regularly and stored in a separate, encrypted location to support disaster recovery.

Access to production systems and customer data is strictly controlled. Only authorized personnel with a legitimate business need are granted access, and all access is logged. We follow the principle of least privilege — each system and team member has only the permissions required for their specific role.

Within the application, your data is isolated by user account. Mello's API enforces authentication on every protected endpoint, and all database queries are scoped to the authenticated user's identity. Cross-account data access is architecturally prevented.

Mello integrates with Plaid to allow you to connect your bank accounts. Plaid is a regulated financial data network used by thousands of financial applications. When you connect a bank account through Plaid:

• You authenticate directly with your bank through Plaid's secure interface — Mello never sees your bank username or password.
• Plaid returns an access token to Mello. This token is encrypted at the application layer before storage (AES-256-GCM) and is used only to fetch transaction data on your behalf.
• Mello stores only the transaction data and account metadata needed to power your accounting features. We do not store full card numbers, CVV codes, or other sensitive payment credentials.

You can disconnect a bank account at any time from the Bank Feed page. Disconnecting revokes Mello's access token and removes the associated data from our systems.

We maintain continuous monitoring of our infrastructure and application logs for signs of unauthorized access, anomalous behavior, or service degradation. Security-relevant events trigger automated alerts to our team.

In the event of a confirmed security incident that affects your data, we will notify affected users promptly in accordance with applicable law, describe the nature of the incident, and outline the steps we have taken to contain and remediate it.

Mello is designed with compliance in mind. We are working toward alignment with industry standards including SOC 2 Type II as the platform matures. Our Plaid integration is subject to Plaid's compliance program, which includes PCI DSS compliance for payment data handling.

We comply with applicable data protection laws, including the California Consumer Privacy Act (CCPA) and, where applicable, the General Data Protection Regulation (GDPR). For details on your data rights, please see our Privacy Policy.

Security is a shared responsibility. Here are steps you can take to protect your Mello account:

• Use a strong, unique password for your Manus account (the identity provider for Mello).
• Enable multi-factor authentication (MFA) in your account settings.
• Do not share your login credentials with others.
• Log out of Mello when using shared or public devices.
• Review connected bank accounts periodically and disconnect any you no longer use.
• Contact us immediately if you suspect unauthorized access to your account.

When reporting, please include a description of the vulnerability, the steps to reproduce it, and any relevant screenshots or proof-of-concept code. We aim to acknowledge all reports within 48 hours and will keep you informed of our progress.