Viably
PrivacySecurityMethodologyTry it

Trust Center

Every trust question in one place.

Live status, security posture, privacy commitments, subprocessors, retention windows, and the latest release — all on this page. The numbers below come from the same production telemetry the engineering team uses internally.

Live status

Refreshes every 30s

All systems normal

as of 6:48:40 PM

Read p95

47.7ms

Read p99

49.7ms

Error rate

0.00%

Latest releasev3.5.0 · 4/25/2026
Cloudflare (CDN/WAF) Stripe (payments)

Methodology: Read latency is approximated from the production Prometheus histogram across all GET endpoints. Error rate is 5xx ÷ total since the last deploy. For the underlying machine-readable feed, hit /api/observability/public-status.

The three policies

Privacy

Plain-language commitments, named subprocessors, no tracking pixels.

Read the policy

Security

HTTPS-only, bcrypt, TOTP/passkeys, every retention window enforced by a test.

Read the posture

Methodology

Every formula and data source for the viability score, citations included.

Read the math

Number provenance

The dashboard answer now carries its own math trail.

Safe-to-spend is not just a number. In the app, the first dashboard card exposes the live inputs, formula, timing adjustment, and a direct methodology link so users can check why Viably thinks the week is safe or short.

Formula

Cash + next paycheck − upcoming bills

Inputs

Timestamps and live dashboard payload values

Source

Methodology page and public data registry

What we commit to

Each row maps to a live test in the codebase. If one of these slips, CI fails before the change ships.

  • Audit logs retained 365 days, then auto-deleted by MongoDB TTL.
  • Marketing-funnel analytics retained 90 days and contain zero PII (anonymous visitor IDs only).
  • Account deletion is a transactional cascade — every personal record removed in seconds.
  • No third-party tracking pixels. Verify in any devtools Network tab.
  • Bcrypt password hashing (12 rounds), optional TOTP + WebAuthn passkeys.
  • HTTPS-only with HSTS preload; HttpOnly, Secure auth cookies on supported app domains.
  • Per-device session list visible to every user — revoke any session, anytime.

Subprocessors

Named services. Each has a narrow, named role and its own privacy policy.

Stripe

Payments

Resend

Transactional email

Google OAuth

Optional sign-in

Cloudflare

CDN + DDoS

Gemini OCR

Document extraction

Honest disclaimers

  • · We are not yet SOC 2 Type II certified. We design for the controls but the audit is on the roadmap.
  • · We are not a HIPAA business associate. Don't upload Protected Health Information.
  • · No paid bug-bounty program yet. Disclose to security@viably.app — we credit publicly at your discretion.

Trust, then verify

The trust commitments are real.
The product is too.

Run your audit

Free. No credit card. Account creation requires only an email.