🌲Sherwood

Security

Last updated: 2026-05-22

Sherwood stores your business records (invoices, clients, expenses, proposals). This page describes how we protect them.

In transit

Sherwood is served over HTTPS. Connections from Sherwood to managed providers such as Neon, Clerk, Stripe, Cloudflare, Resend, and Anthropic use their HTTPS/TLS endpoints.

At rest

Your database currently lives on Neon Postgres in the US East region. Neon encrypts storage at rest for the managed database service.

Receipts and logos live on Cloudflare R2 (S3-compatible object storage). Uploaded file URLs are not listed publicly, but anyone with the exact URL may be able to view the file, so do not upload anything you would not want attached to your business records.

Passwords and sessions

We don't store your password. Authentication runs through Clerk, which handles password hashing (bcrypt with salt), MFA, and session management. You can enable two-factor auth in your Clerk account at any time.

Payments

Stripe processes every payment. Card numbers never touch Sherwood's servers. We only see Stripe's customer reference and a record of which charges succeeded or failed.

API keys

BYOK on Studio is coming soon. When it launches, we will store your AI key in your subscription row, redact it from any log line that prints subscription data, and never share it with anyone, including support staff.

Access control

Production database access is limited to the founder. There is no support team, no contractor account, and no third party with routine read access. Administrative access is kept narrow and reviewed when infrastructure changes.

Backups

Neon provides point-in-time recovery according to the active project plan. At launch the backup window is limited, so you should keep your own copies of records and receipts you need for tax, accounting, or legal reasons. Account deletion is reflected in production data first; provider backups roll off on their normal retention schedule.

Breach disclosure

If we discover unauthorized access to personal data, we'll investigate promptly, take steps to contain it, and notify affected users and regulators where required by law. Our goal is to explain what happened, what was exposed, and what we're doing about it as quickly and clearly as we can.

Responsible disclosure

Found a security issue? Email hello@sherwood-finance.com. We'll acknowledge within 48 hours and fix anything material before publicly discussing it. No bug bounty program at launch, but we'll publicly credit anyone who reports a real issue in good faith.

What we don't claim

No SOC 2. No ISO 27001. No HIPAA. Those certifications are months of paperwork and serious money, and Sherwood is built by one person. We aim for the same security practices you'd expect from any small modern SaaS: HTTPS, provider encryption at rest, managed authentication, least-privilege access, and regular backup checks. If you need a vendor with audited certifications, Sherwood isn't yet the right fit.

Contact

Security questions and general privacy: hello@sherwood-finance.com. We read everything.