Security & privacy.

Everything that touches your money or your records is encrypted, isolated, and read-only by default. We connect through Plaid, we host in AWS, and we cannot move a dollar of yours even if we wanted to.

Account links go through Plaid using a read-only OAuth connection. You can revoke the connection anytime from Settings. We never see or store your bank username or password. Plaid hands us a token that returns account balances, transaction history, and account holder info. Nothing in that token lets us initiate a transfer.

Your data lives on Amazon Web Services (AWS), inside the United States. Production and backup sit in two separate US regions for redundancy. Databases are encrypted at rest with AES-256. Uploaded documents (medical bills, EOBs, lease agreements) sit in a private object store, encrypted, and get purged 90 days after the related case closes. Everything moving between your browser and our servers is encrypted with TLS 1.3.

Engineers do not have standing access to production data. Access is just-in-time, audited, and limited to support cases you have explicitly opened. If a human at Bursify opens your record, you get an email letting you know who, when, and why.

The medical bill audit is HIPAA-regulated. We have Business Associate Agreements with every subprocessor that touches Protected Health Information: SRFax for fax delivery, Lob for physical mail delivery, AWS for cloud infrastructure (which is also where we host Claude for drafting), and Anthropic as the model provider. We do not use plain email to submit medical appeals because plain email cannot guarantee end-to-end encryption to the recipient. The vendor list is updated whenever it changes.

We call Claude from inside our own AWS account, so your prompts and your documents never cross out to a public chatbot. Nothing is retained by the model provider for training. We do not send your data to ChatGPT, Claude.ai web, or any third-party AI plugin. Full detail in How Bursify uses AI.

Login supports an authenticator-app second factor (TOTP) on top of your password. Sessions expire on idle. Password reset flows are rate-limited to prevent guessing attacks. We recommend turning on MFA from Settings the first time you log in.

Your full case file is exportable anytime from Settings as PDF or JSON. The export includes every draft letter, every final signed document, recovery amounts, status events, and the timestamp of every action taken on your behalf.

Account deletion disables your login immediately and removes your records across every engine within 30 days. A small set of records (audit logs of admin actions, anonymized financial transaction summaries) is retained where required by law. You can trigger deletion from Settings, Privacy, Delete account, with a type-DELETE confirmation step.

If your data is involved in a breach, you get notified within 72 hours. That sits ahead of the statutory floor in any jurisdiction where we operate. The notification tells you what data was involved, what we know, what we are doing about it, and what you can do on your end.

SOC 2 Type II is in progress; we will publish the report once the audit completes. HIPAA compliance is reviewed annually with our BAA partners. PCI scope is minimized because Stripe handles all card data; we never see a card number.

Vulnerability reports go to security@bursify.app. Data requests (access, export, deletion) go to privacy@bursify.app. General support is support@bursify.app.