Security - Tetri

Updated: 23 June 2026

Financial data runs on trust, and trust is built on honesty — including about what isn't in place yet. So this covers both the protection and its limits.

Where the data lives

Dedicated servers in Germany (EU). No shared infrastructure with other products and no third-party clouds with access to your records. Each account's data is isolated at the database query level: one user cannot reach another's data.

Passwords and sign-in

  • Passwords are never stored in plain text, only as a cryptographic hash.

  • Sign-in is confirmed by email verification.

  • Sessions can be revoked: on a password change or sign-out, old tokens stop working.

  • The connection between the app and the server is encrypted.

No bank passwords

Tetri does not connect to banks and does not store bank logins. No Plaid, no Yodlee, no aggregators. Data enters Tetri three ways: manual entry, the Telegram bot, and file-based statement import. Your bank password stays with you.

Telegram bot

The bot works in private chats, connects through a one-time link, and is rate-limited. Its requests are signed before they reach the API. It doesn't read other messages on your phone — only what's sent to it directly.

Backups

Daily automated backups to object storage (Cloudflare R2) with a limited retention window, for disaster recovery.

No external AI

Categorization, exchange rates and forecasts are computed with rules and arithmetic on Tetri's own side. Financial data is not sent to external AI services — zero such calls. Fewer places data travels means a smaller risk surface.

Report a vulnerability

Found something? Email security@tetri.app. Security reports get priority. Tetri is a one-developer product built in public, so the habit is to talk about issues openly rather than bury them.