This page describes the technical and operational measures Trim uses to protect customer data.
Encryption in transit
All traffic between client and server is encrypted via TLS. No service endpoint is reachable over plaintext HTTP.
Authentication
Trim uses magic-link authentication; no passwords are stored. Each login link expires after 30 minutes and is single-use.
Tenant isolation
Each tenant's data is stored in a dedicated database file. Isolation is enforced at the filesystem level; there is no shared database, and no query path crosses tenant boundaries.
Administrative access
Administrative endpoints are accessible only over a private network we operate. They are not reachable from the public internet, regardless of credentials.
Backups
Backups are encrypted. Restoration from backup does not expose plaintext data in transit or at rest.
Third-party services
Trim integrates with two external services: Postmark (magic-link email delivery) and Google Gemini (receipt OCR). Both are described in the Privacy Policy. No analytics, advertising, or profiling third parties are integrated.
Responsible disclosure
Security findings may be reported to privacy@trim.menu. We acknowledge reports within five business days and do not pursue legal action against good-faith security researchers.