Security

Your statements, vaulted.

Bank statements contain sensitive financial detail. Here's exactly how we handle them.

Encryption in transit & at rest

All traffic is encrypted with TLS 1.3. PDFs are processed in memory and never written to disk. The parsed transaction data retained in your account is encrypted at rest with AES-256.

Google Document AI + proprietary engine

Statements are sent to Google Document AI for text extraction under an enterprise data agreement with no retention rights. Our reconciliation engine then processes the output inside ephemeral Cloudflare Worker instances that are destroyed after each request.

Scoped access controls

Row-level security ensures users can only see their own statements. Service-role keys never leave the server.

Zero PDF retention

Original PDFs are never written to any database or disk. They are processed in memory and deleted immediately after parsing completes. The only data retained in your account is the parsed export you choose to download.

Authentication

Email + password and Google OAuth, backed by industry-standard JWT sessions with refresh rotation.

Compliance posture

Infrastructure is hosted on SOC 2 Type II audited platforms. SOC 2 attestation for stmtly is in progress.

Reporting a vulnerability? Email [email protected]. We respond within one business day.