Security & Trust

Read-only connections, minimal retention, clear deletion.

Effective July 16, 2026Basel Systems, Inc.

Basel handles business financial data, so the product is designed around a simple security principle: collect less, retain less, and keep sensitive connection credentials away from the browser.

Important: Basel never receives bank credentials, never initiates payments, and does not store Plaid or QuickBooks access tokens for ongoing account access in this build. Basel removes the Plaid Item after the one-shot import. Transaction analysis is stored in your browser unless and until you delete it.

01

Trust model

Basel is a read-only rewards analysis tool. It is not a bank, card issuer, broker, lender, payment processor, or money transmitter. The website lets you import transaction history, run the analysis, and delete the local result.

This page describes the website-side controls currently implemented. Internal company security controls, vendor reviews, employee-device management, vulnerability scanning, and incident-response processes must be maintained operationally by Basel Systems, Inc.; a website page cannot truthfully create those controls by itself.

02

Data handling summary

CSV uploads
Parsed in the browser. The raw file is not uploaded to Basel servers.
Plaid imports
The server exchanges the short-lived public token, uses the resulting access token to import recent transactions, then calls Plaid /item/remove within that request.
Transaction analysis
Stored in browser local storage under Basel-specific keys so the user can clear it from the profile page.
Credentials
Bank credentials go to Plaid. Basel does not receive or store them.
Technical logs
Hosting and infrastructure logs may include standard request metadata needed for security, debugging, and reliability.
03

Connected account controls

  • Plaid Link is opened only after the user confirms data-access consent.
  • Bank and QuickBooks credentials are collected by Plaid or Intuit, not by Basel.
  • Plaid and QuickBooks access tokens are server-side only and are not persisted in this build.
  • Plaid Items are removed after import so Basel does not keep ongoing account access.
  • The import is read-only and limited to transaction data needed for the analysis.
  • Users can revoke a connection through their bank, Plaid Portal, or QuickBooks settings.
04

Encryption and transport

The hosted Service should be served over HTTPS using TLS 1.2 or better. Plaid secrets are read from server environment variables and are never sent to the client. Data stored by the browser uses the browser's local storage; users should secure their device, operating system account, and browser profile.

05

Access controls

The website includes a sign-in gate before Plaid Link and the product workspace. In this demo build, the account session is local to the browser and no password is stored. A production deployment should use real authentication such as SSO, magic links, or another managed identity provider, with MFA enabled for administrators and systems that can access production secrets or financial data.

06

Retention

  • Browser-local account and analysis data persists until the user deletes it or clears site data.
  • Plaid access-token retention in this build is limited to the import request and the Item is removed after import.
  • Technical logs should be retained only as long as needed for security, reliability, and legal compliance.

See the Privacy Policy retention section for the user-facing retention policy.

07

User deletion controls

Users can open Profile and use the data deletion controls to clear account data, analysis data, Plaid client-user identifiers, and saved consent records from the current browser. If Basel Systems, Inc. later stores server-side account data, deletion requests should also be handled by email and documented internally.

08

Current limitations

The following are not solved by adding legal pages and consent UI. They require operational work by the company:

  • A documented information security policy and risk-management process.
  • Administrative MFA for all critical systems and production assets.
  • Formal vulnerability scanning and patch management for employee devices and production infrastructure.
  • Incident-response, vendor-management, and access-review procedures.
  • Legal review of privacy, terms, retention, and deletion practices.
09

Report a security or privacy issue

Security reports can be sent to [email protected]. Privacy requests can be sent to [email protected].