Encryption in transit and at rest
Warm uses industry-standard encryption for data in transit and at rest, including bank connection data returned through Plaid.
Read-only by default. Built so Warm cannot move your money.
Warm is designed for visibility and understanding: encrypted data, Plaid bank connections, no stored bank credentials, and optional MCP access that stays scoped.
Access model
Financial data can flow into Warm. Money cannot flow out.
The same read-only posture applies to the dashboard and optional MCP clients. Warm can read the financial context you authorize, but it cannot make payments, transfer funds, or edit bank accounts.
- 01
Your bank
You authenticate directly with your financial institution through Plaid.
- 02
Plaid connection
Plaid returns account and transaction data without sharing bank credentials.
- 03
Warm dashboard
Warm stores the financial context needed to show balances, trends, and alerts.
- 04
Optional MCP
Supported clients can query read-only tools only after you create an API key.
Controls
The security basics are product requirements.
Read-only access
Warm can view account balances and transactions. It cannot initiate transfers, make payments, or change bank accounts.
No bank credential storage
Bank usernames and passwords are never stored by Warm. Authentication is handled by Plaid and your financial institution.
Controlled infrastructure
Production systems use managed cloud infrastructure, restricted access, monitoring, and routine security updates.
No data sales
Warm does not sell financial data or share it with advertisers. Your data is used to provide the service.
Revocable access
You can disconnect bank accounts, delete API keys, or delete your Warm account when you no longer want access enabled.
Built on Plaid
Plaid handles the secure connection between Warm and supported financial institutions. When you connect a bank, authentication happens through Plaid and your bank; Warm does not receive or store your bank username or password.
You can disconnect accounts in Warm or manage Plaid connections through my.plaid.com .
MCP security
AI access stays in its lane.
Warm MCP gives supported clients read-only financial context through scoped API keys and
the local @warmio/mcp package.
Clients can answer questions from your data, but they cannot move money or edit records.
Opt-in only
MCP access only works after you create an API key and connect a supported client.
Scoped keys
API keys are scoped to your Warm account data and can be revoked from Settings.
Read-only tools
Clients can query data. They cannot move money, edit records, or change settings.
What if something goes wrong?
Your money stays protected because Warm does not store bank credentials and does not have transfer permissions. A security incident would not give an attacker the ability to log into your bank, initiate payments, or move funds through Warm.
- No bank passwords stored. Plaid and your bank handle authentication.
- No transfer permissions. Warm's access is read-only.
- Revocable keys. MCP access can be disabled from Settings.
Common questions
How does Plaid keep my data secure?
Plaid powers bank connections for many financial apps. It handles authentication directly with your bank and does not share your bank credentials with Warm.
Can Warm access my bank account?
Warm has read-only access to account balances and transactions. We cannot initiate transfers, make payments, or modify anything in your accounts.
What happens if I delete my account?
You can delete your account from Settings. When you delete your account, Warm revokes bank connections and deletes account data associated with the service.
Do you sell my financial data?
No. Warm does not sell financial data, share it with advertisers, or use it for purposes outside providing the Warm service.
Does Warm expose a remote MCP endpoint?
No. Warm MCP is documented here as the local @warmio/mcp package using scoped API keys.
Ready for a read-only financial dashboard?
Connect accounts through Plaid and keep control of what Warm can access.