How Plaid Works: Why Connecting Your Bank to Clarity Is Safe
Clarity TeamEngineeringPublished Mar 22, 2026
Clarity uses Plaid to link your bank accounts with read-only access, bank-level encryption, and zero ability to move money. Here's exactly how the connection works and why it's secure.
Connecting a bank account to a third-party app can feel like handing someone the keys to your house. It shouldn't. Clarity uses Plaid to link your financial accounts with read-only access, bank-level encryption, and zero ability to move your money. Here's exactly how it works and why it's safe.
The short version
Clarity never sees your bank password. You log in through Plaid's secure widget, your bank authenticates you directly, and Clarity receives a read-only token that can view balances and transactions but can never move money. That token is encrypted with AES-256-GCM before it ever touches our database.
What Is Plaid?
Plaid is the infrastructure layer between your bank and the apps you use. When you connect a bank account through Clarity, you're authenticating directly with your bank inside Plaid's secure widget — Clarity never sees your bank username or password. Plaid is used by over 8,000 apps including Venmo, Robinhood, Coinbase, and Betterment. It connects to over 12,000 financial institutions in the US, Canada, and Europe.
Plaid is regulated as a data processor, undergoes annual SOC 2 Type II audits, and is regularly reviewed by federal financial regulators. It's the same pipeline that Fortune 500 fintechs trust with millions of connections.
How the Connection Flow Works
When you tap "Connect" in Clarity, here's what happens step by step:
Clarity requests a Link token from Plaid. This token is short-lived and scoped to your session. It tells Plaid which permissions Clarity is requesting (read-only balances, transactions, and holdings).
Plaid Link opens in a secure iframe.You see your bank's login screen rendered by Plaid, not by Clarity. Your credentials go directly to your bank through Plaid's encrypted channel. Clarity cannot intercept, read, or store them.
Your bank authenticates you.This includes any multi-factor authentication your bank requires — SMS codes, authenticator apps, security questions. Plaid passes these challenges through without Clarity ever seeing them.
Plaid returns an access token to Clarity.This token grants Clarity read-only access to the account data you authorized. Clarity encrypts this token with AES-256-GCM before storing it, so even a database breach wouldn't expose it in plaintext.
Clarity syncs your data. Balances, transactions, and holdings flow in automatically. Plaid sends webhooks when new data is available, so Clarity stays current without polling.
At no point in this process does Clarity have access to your bank login credentials. The entire authentication happens inside Plaid's infrastructure.
Read-Only Access: What Clarity Can and Cannot Do
Clarity requests the minimum set of Plaid products needed to build your financial picture. Here's the breakdown:
Read transaction history (merchant, amount, date, category)
Initiate payments, ACH, or direct debits
Read investment holdings and positions
Place trades or modify investment positions
Detect recurring charges and subscriptions
Change account settings or open new accounts
Sync automatically when your bank reports new data
See or store your bank username or password
The connection is structurally read-only. Even if Clarity's servers were compromised, the Plaid access token does not carry write permissions. Your bank would reject any attempt to move money through it.
How Your Data Is Protected
Security isn't a single feature — it's layers. Here's how each layer works in the Plaid integration:
Encryption in transit
All communication between Clarity, Plaid, and your bank uses TLS. Data cannot be intercepted or read while moving between systems.
Encryption at rest
Plaid access tokens are encrypted with AES-256-GCM before storage. Clarity supports key rotation with up to 10 encryption keys for zero-downtime re-encryption.
Webhook verification
Every Plaid webhook is cryptographically verified before processing. Attackers cannot inject fake data by impersonating Plaid's servers.
No credential storage
Clarity never stores your bank username, password, or MFA codes. Only the encrypted access token Plaid provides after authentication is retained.
For full details on Clarity's security posture, encryption standards, and incident response process, see the security practices page.
Plaid's Own Security Standards
Plaid operates its own rigorous security program independent of the apps that use it:
SOC 2 Type II certified.Annual third-party audits verify that Plaid's security controls are designed correctly and operating effectively over time.
Regular penetration testing.External security firms test Plaid's systems for vulnerabilities on an ongoing basis.
Data minimization. Plaid only accesses the data your bank exposes through its API and only shares what the connecting app requests.
Consumer controls. You can view and manage all your Plaid connections at my.plaid.com, including disconnecting any app at any time.
You can disconnect any institution from Clarity at any time through Settings> Connections. When you disconnect:
Clarity deletes the encrypted access token immediately.
Plaid revokes the connection on their end, so no further data flows to Clarity.
Your historical data in Clarity is retained unless you explicitly request deletion.
If you delete your Clarity account entirely, all stored credentials and financial data are permanently removed. You can also visit my.plaid.com to independently verify or revoke any Plaid connection regardless of what happens on Clarity's side.
Why Plaid Instead of Screen Scraping
Before Plaid and similar infrastructure providers existed, most finance apps used screen scraping: they'd log into your bank with your actual username and password, pretend to be you, and copy the HTML. This was fragile, slow, and required you to hand your real bank credentials to a third party.
Plaid replaced that model with direct API connections to banks. Your credentials stay with your bank. The connection is tokenized and scoped. The data is structured and reliable. And if a bank changes its website design, your connection doesn't break — because Plaid isn't scraping a webpage.
Common Questions
Can Clarity see my bank password?
No. Your bank credentials are entered directly into Plaid's secure widget and sent to your bank. Clarity never receives, processes, or stores them.
What if Plaid gets hacked?
Plaid maintains enterprise-grade security with multiple layers of defense. In the unlikely event of a breach, Plaid's access tokens can be revoked institution-wide, and Clarity's stored tokens are independently encrypted. No single point of failure exposes your bank login credentials because Plaid doesn't store them in a way that's reversible.
What if I want to stop sharing data?
Disconnect the institution in Clarity's settings, or go directly to my.plaid.com to revoke access. Either method cuts off data flow immediately.
Is my data sold to third parties?
Clarity does not sell your financial data. Your data is used exclusively to power your personal financial workspace. Plaid's data practices are governed by their own privacy policy and consumer data rights regulations.
Core Clarity paths
If this page solved part of the problem, these are the main category pages that connect the rest of the product and knowledge system.