woven

Security

Built to protect the most sensitive data you hold.

Woven is a system of record for financial and client data, so security isn't a feature bolted on the side — it's how the platform is built. Here's how your data is protected.

Encrypted at rest and in transit

Sensitive data is encrypted, and the encryption key is held in a managed secrets vault — not in the codebase or the database. All traffic is served over HTTPS.

PII redaction before AI ever sees it

Social security numbers, dates of birth, and full bank and card numbers are automatically redacted from derived data and are never sent to any AI provider. Detection runs locally and deterministically.

Append-only audit trail

Financial records are backed by an append-only, hash-chained audit log. Entries can be added but not silently altered or deleted — tampering breaks the chain and is detected.

Strong authentication

Passwords are hashed with bcrypt. Multi-factor authentication and automatic lockout after repeated failed attempts protect every account.

Consent-gated access to client books

No one — not even the firm owner or Woven — can silently change a client's books. Access is scoped, consent-gated, and recorded.

AI you control

AI is human-verified and off by default, with a per-client kill switch. Nothing posts to the ledger without a person reviewing it, and manual rules are always available as the no-AI path.

Isolated, per-tenant data

Each firm and business is isolated. Bank connections use tokenized access through a regulated aggregator; account credentials are never stored by Woven.

Least data, on purpose

We minimize the personal information the platform touches, and keep a clear record of the few necessary PII touchpoints and why they exist.

Found something? Tell us.

We take responsible disclosure seriously. If you believe you've found a security issue, reach out and we'll respond quickly.