Corli is designed to keep budgeting data useful, limited, and protected.
Corli separates sign-in, session management, and bank connectivity so the app handles as little sensitive information as possible. Users authenticate with Google, bank connections are handled through Plaid, and protected account data is only returned to authenticated sessions.
On the backend, Corli uses encrypted storage for Plaid access tokens, secure session cookies, HTTPS in production, and log filtering for sensitive values such as tokens and secrets. The result is a product built around minimizing exposure rather than collecting more access than it needs.
Secure sign-in
Corli uses Google sign-in instead of a separate password system, which reduces password handling inside the app and keeps authentication tied to a trusted provider.
Protected sessions
User sessions are managed with secure, HttpOnly cookies so login state stays on the server side and protected routes require an authenticated session before returning personal data.
Encrypted banking access
Bank connections are powered by Plaid. Corli does not store your online banking username or password, and Plaid access tokens stored by Corli are encrypted on the backend.
Reduced exposure
Production traffic is configured for HTTPS and secure cookies, and sensitive values like tokens, secrets, and keys are filtered from application logs to reduce accidental exposure.
Need a link you can share?
Send people to the public security page at /security. It does not require authentication and works as a direct explanation of how Corli protects user data.