diff --git a/app/controllers/concerns/store_location.rb b/app/controllers/concerns/store_location.rb
index 2bf87a64..e2e8d318 100644
--- a/app/controllers/concerns/store_location.rb
+++ b/app/controllers/concerns/store_location.rb
@@ -5,6 +5,8 @@ module StoreLocation
     helper_method :previous_path
     before_action :store_return_to
     after_action :clear_previous_path
+
+    rescue_from ActiveRecord::RecordNotFound, with: :handle_not_found
   end
 
   def previous_path
@@ -12,6 +14,14 @@ module StoreLocation
   end
 
 private
+  def handle_not_found
+    if request.fullpath == session[:return_to]
+      session.delete(:return_to)
+      redirect_to fallback_path
+    else
+      head :not_found
+    end
+  end
 
   def store_return_to
     if params[:return_to].present?
diff --git a/app/models/plaid_item.rb b/app/models/plaid_item.rb
index c2ca4cbc..d456285e 100644
--- a/app/models/plaid_item.rb
+++ b/app/models/plaid_item.rb
@@ -1,7 +1,10 @@
 class PlaidItem < ApplicationRecord
   include Plaidable, Syncable
 
-  encrypts :access_token, deterministic: true
+  if Rails.application.credentials.active_record_encryption.present?
+    encrypts :access_token, deterministic: true
+  end
+
   validates :name, :access_token, presence: true
 
   before_destroy :remove_plaid_item
diff --git a/config/application.rb b/config/application.rb
index 3615cb76..df4c0f36 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -30,5 +30,10 @@ module Maybe
     config.i18n.fallbacks = true
 
     config.app_mode = (ENV["SELF_HOSTED"] == "true" || ENV["SELF_HOSTING_ENABLED"] == "true" ? "self_hosted" : "managed").inquiry
+
+    # Self hosters can optionally set their own encryption keys if they want to use ActiveRecord encryption.
+    if Rails.application.credentials.active_record_encryption.present?
+      config.active_record.encryption = Rails.application.credentials.active_record_encryption
+    end
   end
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index c032dfed..ea7cd99d 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -94,6 +94,4 @@ Rails.application.configure do
   # ]
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
-
-  config.active_record.encryption = Rails.application.credentials.active_record_encryption
 end