BankStatementHive
Sign in
Last updated: 2026-05-27

Security at BankStatementHive

How BankStatementHive protects your data through encryption, secure infrastructure, and responsible engineering practices.

Security is a core part of how we build and operate BankStatementHive. This page describes the technical and organisational measures we have in place to protect your data.

Data in Transit

All communication between your browser and BankStatementHive is encrypted using HTTPS with TLS 1.2 or higher, enforced via Cloudflare. Unencrypted HTTP connections are automatically redirected to HTTPS. This applies to every page, API call, and file transfer.

Transactional emails (such as login codes) are sent via Cloudflare and transmitted over encrypted channels.

Data at Rest

The BankStatementHive database is hosted on Render Services, Inc. infrastructure in Frankfurt, Germany. The full database volume is encrypted at rest at the application level. If the underlying storage were ever physically accessed, the data would be unreadable without the encryption key.

Bank Statement File Handling

Uploaded bank statement files are processed entirely in memory. They are never written to disk, stored in a database, or passed to any external storage service. Once processing is complete and the converted file is available for download, the original upload is discarded from memory.

This means there is no stored copy of your bank statements on our systems at any point.

Authentication

BankStatementHive uses passwordless authentication via email one-time passwords (OTP). There are no user passwords stored in our system, which eliminates an entire class of common attack vectors including credential stuffing, password spraying, and brute force attacks.

  • Login codes are short-lived and single-use.
  • Sessions expire after 7 days of inactivity.
  • Sessions can be invalidated immediately by signing out.

Infrastructure

LayerProviderLocation
App server & databaseRender Services, Inc.Frankfurt, Germany
CDN & DDoS protectionCloudflareGlobal
PaymentsStripeEEA / USA

Our primary infrastructure is located in Frankfurt, Germany and subject to EU data protection law. Cloudflare sits in front of our application and absorbs network-level attacks before they reach our servers.

Access Controls

Access to production systems and customer data is strictly limited:

  • Only essential personnel can access production infrastructure.
  • No customer data is accessed for purposes other than providing the Service.
  • We follow the principle of least privilege across all systems and service accounts.

Incident Response

In the event of a confirmed security breach affecting personal data, we are committed to:

  1. Containing the incident as quickly as possible.
  2. Notifying affected users within 72 hours of confirming the breach.
  3. Notifying the relevant data protection supervisory authority where required by law.
  4. Providing a clear account of what happened, what data was affected, and what steps we have taken.

Vulnerability Disclosure

If you discover a security vulnerability in BankStatementHive, please report it responsibly by emailing [email protected]. Include as much detail as possible so we can reproduce and address the issue promptly.

We ask that you:

  • Give us reasonable time to investigate and fix the issue before any public disclosure.
  • Do not access, modify, or delete data that does not belong to you.

We do not currently operate a formal bug bounty programme, but we take all reports seriously and will acknowledge your report promptly.

Continuous Improvement

Security is not a one-time effort. We review our practices, dependencies, and infrastructure regularly and update our measures as the threat landscape evolves.

Questions

If you have questions about our security practices, contact us at [email protected].