Security
Fastcal is built around private statement uploads, account-scoped data, and no bank credential sharing.
No bank login is required. Fastcal Finance works from statement uploads and does not connect to live bank accounts.
Registered sessions are handled by Supabase Auth. Financial records use ownership checks so users can only access their own statement, transaction, dashboard, and report rows.
Statement source files are processed temporarily and deleted after successful extraction. When a source PDF still exists before cleanup, file links are short-lived signed URLs.
Deleting a statement removes any remaining private storage file, deletes derived transactions and reports, and marks the statement as deleted.
The service role key is server-only and must never be exposed to client components, public routes, logs, or browser bundles. Admin views must never expose private statement files directly.