Security at BankStatementHive
Security is a core part of how we build and operate BankStatementHive. This page describes the technical and organisational measures we have in place to protect your data.
Data in Transit
All communication between your browser and BankStatementHive is encrypted using HTTPS with TLS 1.2 or higher, enforced via Cloudflare. Unencrypted HTTP connections are automatically redirected to HTTPS. This applies to every page, API call, and file transfer.
Transactional emails (such as login codes) are sent via Cloudflare and transmitted over encrypted channels.
Data at Rest
The BankStatementHive database is hosted on Hetzner infrastructure in Germany. The database volume is encrypted at rest. If the underlying storage were ever physically accessed, the data would be unreadable without the encryption key.
Bank Statement File Handling
Uploaded bank statement files are processed entirely in memory. They are never written to disk, stored in a database, or passed to any external storage service. Once processing is complete and the converted file is available for download, the original upload is discarded from memory.
To perform the conversion, the file is transmitted over an encrypted connection to our AI processing subprocessors (see Subprocessors) purely to extract the data. These providers (Vercel and Google) operate under Zero Data Retention: they do not retain your file after the request completes and never use it to train any model. It is sent for the duration of processing only; no copy is written to disk on our systems.
This means there is no stored copy of your bank statements on our systems at any point.
Authentication
BankStatementHive uses passwordless authentication via email one-time passwords (OTP). There are no user passwords stored in our system, which eliminates an entire class of common attack vectors including credential stuffing, password spraying, and brute force attacks.
- Login codes are short-lived and single-use.
- Sessions expire 7 days after you sign in.
- Sessions can be invalidated immediately by signing out.
Infrastructure
| Layer | Provider | Location |
|---|---|---|
| App server & database | Hetzner | Germany |
| AI data extraction | Vercel AI Gateway / Google Gemini | USA / Global |
| CDN & DDoS protection | Cloudflare | Global |
| Payments | Stripe | EEA / USA |
Our primary infrastructure is located in Germany and subject to EU data protection law. Cloudflare sits in front of our application and absorbs network-level attacks before they reach our servers.
Access Controls
Access to production systems and customer data is strictly limited:
- Only essential personnel can access production infrastructure.
- No customer data is accessed for purposes other than providing the Service.
- We follow the principle of least privilege across all systems and service accounts.
Incident Response
In the event of a confirmed security breach affecting personal data, we are committed to:
- Containing the incident as quickly as possible.
- Notifying affected users within 72 hours of confirming the breach.
- Notifying the relevant data protection supervisory authority where required by law.
- Providing a clear account of what happened, what data was affected, and what steps we have taken.
Vulnerability Disclosure
If you discover a security vulnerability in BankStatementHive, please report it responsibly by emailing [email protected]. Include as much detail as possible so we can reproduce and address the issue promptly.
We ask that you:
- Give us reasonable time to investigate and fix the issue before any public disclosure.
- Do not access, modify, or delete data that does not belong to you.
We do not currently operate a formal bug bounty programme, but we take all reports seriously and will acknowledge your report promptly.
Continuous Improvement
Security is not a one-time effort. We review our practices, dependencies, and infrastructure regularly and update our measures as the threat landscape evolves.
Questions
If you have questions about our security practices, contact us at [email protected].