Trust

Security

Last updated: 29 May 2026

1. Overview

Borro handles sensitive borrower information, including identity details, financial profile data, uploaded documents, and connected-account information. Security is designed into how we collect, store, process, and share that information.

This page summarises the safeguards we use to protect the Borro platform. It is intended as a practical overview, not a complete technical architecture or security audit report.

Plain-English summary: we limit access, encrypt sensitive data in transit and at rest where supported by our providers, use reputable managed infrastructure, and monitor the platform for reliability and abuse.

2. Data Protection

We protect borrower data using a layered approach that combines application controls, database permissions, provider-level encryption, and operational safeguards.

  • Data is transmitted over HTTPS/TLS.
  • Database access is protected with authentication and row-level security policies where applicable.
  • Sensitive server-side credentials are stored as environment variables and are not exposed to the browser.
  • Production systems are separated from local development environments.
  • We collect only the information needed to provide borrowing intelligence, document storage, support, and security operations.

3. Document Vault

Documents uploaded to Borro can include payslips, tax returns, bank statements, and identification documents. We treat these files as highly sensitive.

  • Document upload uses a presigned upload flow so files are sent directly to storage.
  • Storage keys are scoped by user and document type.
  • Document metadata is associated with the authenticated user account.
  • Documents are not shared with brokers, advisers, or lenders unless a product workflow or future permission model explicitly enables that sharing.

4. Account Security

Borro uses Supabase Auth for account authentication. Users can sign in with email/password and supported OAuth providers such as Google.

  • Session cookies are managed by the authentication provider and refreshed through the app proxy.
  • Protected app routes redirect unauthenticated visitors to login.
  • API routes that access account data require an authenticated user session.
  • Mobile verification is an app-level borrower trust signal, not a sign-in factor.

5. Open Banking

Borro is designed to work with read-only financial data connections. Where open banking or CDR integrations are used, they should require explicit user consent and should be limited to the data needed to assess borrowing capacity.

We do not use connected financial data to move money, initiate payments, or transact on your behalf.

6. Infrastructure

Borro is built on managed cloud infrastructure and service providers selected for reliability, security, and operational maturity.

  • Application hosting is designed for modern server-rendered web workloads.
  • Database, authentication, email, storage, and analytics services are provided by specialist vendors.
  • Secrets are stored in server-side environment configuration, not in public client code.
  • Changes are tested before release using automated unit tests and production builds.

7. Monitoring

We use operational logging, error reporting, and analytics signals to understand platform health, investigate failures, and improve reliability.

  • Application errors may be logged for debugging and reliability.
  • Security-relevant events may be reviewed to investigate abuse or unauthorised access.
  • Analytics are used to improve product quality and performance, not to sell personal information.

8. Internal Access

Access to production systems and sensitive operational data is limited to authorised personnel and service accounts with a business need.

  • Access should be role-based and reviewed as the team grows.
  • Administrative actions should be performed through secure provider consoles or audited service paths.
  • We avoid copying sensitive borrower data into support channels unless necessary to resolve a request.

9. Incident Response

If we become aware of a security incident that affects borrower data, we will investigate, contain the issue, and take appropriate remediation steps.

Where legally required, we will notify affected users, regulators, or other relevant parties within required timeframes and provide practical information about what happened and what to do next.

10. Your Role in Security

You can help keep your Borro account secure by using strong account practices.

  • Use a unique password for Borro if signing in with email and password.
  • Keep access to your email account secure, since it may be used for account recovery.
  • Do not share your Borro login credentials with brokers, family members, or advisers.
  • Review documents before uploading and remove files you no longer want stored in the platform when that feature is available.
  • Contact us promptly if you suspect unauthorised access.

11. Contact

If you believe you have found a security issue, or if you have questions about Borro’s security practices, contact us at hello@borro.ai.

Related pages

Privacy PolicyTerms of ServiceAI Disclaimer