Security and trust at Bank AI
Bank AI handles money-shaped data, so security and regulatory hygiene are not features - they're foundations. Here is how that holds together end to end.
Security architecture
Bank-grade encryption
All traffic is TLS 1.2+ in transit. Sensitive data at rest is encrypted with AES-256, with keys managed in EU-region KMS. Database backups are encrypted with separate keys.
EU data residency by default
Personal and financial data is stored in EU regions. We do not move personal data outside the European Economic Area unless an adequacy decision applies; cross-border transfers use Standard Contractual Clauses with technical safeguards.
Read-only by default
Bank AI never moves money on your behalf. Account access is read-only via licensed Account Information Service Provider (AISP) partners. Payment Initiation is on the roadmap and will run as a separate, explicitly-authorised flow.
Strong Customer Authentication
Connections refresh under PSD2's Strong Customer Authentication (SCA) requirements - we re-prompt every 90 days exactly as the regulation requires.
Opt-in AI processing
AI insights only run on data you have explicitly enabled for AI processing. The AI does not see categories you have not turned on, and your inputs are never used to train shared models without consent.
Hardened headers + supply chain
HSTS preload, strict referrer policy, COOP/CORP isolation and a tightly-scoped Permissions-Policy on every response. Build pipeline pins all dependencies and runs SCA at every release.
Regulatory model
Bank AI itself is not a bank. Account-data access is delivered by licensed Account Information Service Providers (AISPs) operating under PSD2 (in the EU and the UK), supervised by the relevant national competent authorities (BaFin in Germany, ACPR in France, Banca d'Italia in Italy, Banco de Espana in Spain, FCA in the UK, etc.). The licensing partners that make this possible are listed when commercial agreements allow public attribution - TODO_PARTNER_NAMES once confirmed by the team.
Data rights
You can access, rectify, port and delete your data at any time. We comply with the GDPR, the UK GDPR and the EU AI Act. Bank AI never sells personal data and never trades on your information. Detailed processing purposes and lawful bases are documented in the Privacy Policy.
Incident response
Bank AI follows a documented incident response plan with 24-hour internal triage targets and 72-hour notification windows aligned with GDPR Article 33. Customer-impacting incidents are communicated through email and an in-app banner. The published security disclosure policy is at /.well-known/security.txt.
Reporting a vulnerability
If you have found a security issue, please email security@stolenorbit.com. Coordinated disclosure with researchers is welcomed - see /.well-known/security.txt for the full disclosure process.