Dracit’s security model starts with restraint. We can’t leak a bank login we never ask for, or a card number we have no field to store.
Nothing connects to your bank. There’s no credential to phish or store.
The audit needs a card’s name, not its number. There’s no PAN to protect.
The math runs without mining your financial history in a cloud profile.
Most financial tools ask you to connect your bank, then spend enormous effort protecting the credentials and account data they’ve gathered. Dracit takes the opposite approach: we designed the product so that the most sensitive data never enters it. The result is a dramatically smaller attack surface — there’s simply less to steal.
Dracit has no integration with online banking and no screen anywhere that requests a banking username or password. You add cards by name and upload a statement you’ve already downloaded yourself. If any service claiming to be Dracit ever asks for your bank login, it is not us.
Because the rewards calculation depends on a card’s category earn rate — not its account — we only ever need the card’s name. There is no input for a card number, CVV, or expiry date, so there is no cardholder data to encrypt, store, or expose.
All traffic between your device and Dracit is encrypted with TLS (HTTPS). Data we do store — your account identity, the card names you add, and your saved audits — is encrypted at rest with industry-standard encryption managed by our infrastructure providers.
Sign-in is handled by Google OAuth for identity only, so Dracit never stores a password of yours. We request the minimum scopes required to confirm who you are, and nothing that would grant access to your email, files, or financial accounts.
We collect only what an audit requires and keep it only as long as needed. You can delete an individual audit or your whole account at any time, which removes the associated statement data from our active systems. Less data retained means less data at risk.
We welcome reports from security researchers. If you believe you’ve found a vulnerability, please email security@dracit.ca with details and steps to reproduce. We commit to acknowledging your report promptly, investigating in good faith, and not pursuing legal action against researchers who act responsibly and avoid privacy violations or service disruption.
This page describes Dracit’s intended security posture in plain language. Specific controls, certifications, and infrastructure details should be confirmed by your security team before launch.
See exactly how the audit works — every dollar of missed rewards traces to a rate you can check.