Security first.
Financial data is the most sensitive data you have. We treat it that way. Hereβs exactly how PocketSpend protects every transaction.
Encryption
AES-256 at rest across all data stores (PostgreSQL, S3, Redis). TLS 1.3 minimum in transit. Hardware Security Modules for key management. Keys rotated quarterly.
Read-only bank access
Every Open Banking integration uses read-only OAuth tokens. We cannot initiate payments, change beneficiaries or move money even if compromised. Enforced at API contract level.
No credentials stored
We never see, store or transmit your bank login credentials. You authenticate directly with your bank; they pass us a scoped, read-only token.
Aggregator security
Plaid (SOC 2 Type II, ISO 27001), TrueLayer (FCA-authorised, ISO 27001), Basiq (CDR-accredited), Lean (CBUAE-regulated, ISO 27001). Each independently audited.
Authentication
Bcrypt-hashed passwords (cost factor 12). Optional 2FA via TOTP. Optional biometric unlock (Face ID, Touch ID, Android biometric). Session tokens rotate every 7 days.
Penetration testing
Quarterly external pentest by a CREST-accredited firm. Latest report (Q4 2025) available under NDA to enterprise customers.
SOC 2
SOC 2 Type II audit in progress, target completion Q3 2026. ISO 27001 roadmap Q1 2027.
Bug bounty
Public bug bounty via HackerOne. Critical: $5,000. High: $1,500. Medium: $500. Out-of-scope and rules at hackerone.com/pocketspend.
Incident response
On-call engineer 24/7. Initial customer notification within 72 hours of confirmed material incident as required by UK GDPR Article 34 and equivalents.
Privacy by design
Minimum data collection. Aggregation where possible. Deletion on request within 30 days. Annual data minimization audit.
Report a vulnerability
Found something? Email [email protected] with reproduction steps. PGP key available on request. Initial response within 24 hours.