Security & data protection
Your financial data security is our top priority. Learn about our comprehensive security measures.
Our security promise
Never stored
Your bank statements are never saved to our servers
Always encrypted
All data transmitted with TLS 1.3 encryption
No human access
Automated processing - staff never see your data
How we protect your data
In-memory processing only
When you upload a bank statement, it is processed entirely in the server's memory (RAM). We never write your statements to disk, databases, or any persistent storage. This means:
- No traces of your statement remain on our servers
- Data is automatically purged when processing completes
- Memory is cleared immediately after conversion
- Even in case of server failure, your data is not recoverable
End-to-end encryption
All data transmitted between your browser and our servers is protected with industry-standard encryption:
- TLS 1.3: The latest transport layer security protocol
- 256-bit AES encryption: Data is protected with 256-bit AES encryption
- HTTPS-only: No unencrypted connections allowed
- Perfect Forward Secrecy: Past communications cannot be decrypted even if keys are compromised
Zero human access
Your bank statements are processed by automated systems only:
- No staff members have access to your uploaded files
- Automated parsing runs without human intervention
- No logging of transaction details or account numbers
- Only metadata (file size, conversion time) is tracked for system monitoring
Strict access controls
We implement multiple layers of access control and authentication:
- Account Authentication: Secure login with email verification
- Session Management: Automatic timeout after inactivity
- API Security: Rate limiting and request validation
- Infrastructure Access: Multi-factor authentication for all staff accounts
Infrastructure & compliance
Hosting & infrastructure
- Vercel: Enterprise-grade hosting with global CDN
- Supabase: PostgreSQL database with encryption at rest
- DDoS Protection: Automatic mitigation of attacks
- Redundancy: Multiple availability zones for high uptime
Compliance standards
- UK GDPR: Full compliance with UK data protection law
- PCI DSS: Card payments are processed by Stripe, which is PCI DSS Level 1 certified. We do not hold a PCI certification ourselves.
- Data Protection Act 2018: UK data protection compliance
Payment security
- Stripe Payment Gateway: All card payments are handled by Stripe
- PCI DSS Level 1: Stripe, our payment processor, holds PCI DSS Level 1 certification
- No Card Storage: We never see or store your card details
- 3D Secure: Additional authentication layer for card payments
Monitoring & response
- 24/7 Monitoring: Continuous system health and security monitoring
- Intrusion Detection: Automated threat detection and response
- Incident Response: Documented procedures for security events
- Regular Audits: Security reviews and vulnerability assessments
What we never do
Your security responsibilities
While we implement robust security measures, you also play a crucial role in protecting your account:
- Use a strong password: At least 12 characters with mixed case, numbers, and symbols
- Never share your password: Keep your login credentials confidential
- Log out on shared devices: Always log out when using public computers
- Keep your device secure: Use up-to-date antivirus software
- Verify our website: Always check the URL is convertbank-statement.com
- Report suspicious activity: Contact us immediately if you notice anything unusual