Bank-grade encryption
All traffic is TLS 1.2+ in transit. Sensitive data at rest is encrypted with AES-256, with keys managed in EU-region KMS. Database backups are encrypted with separate keys.
EU data residency by default
Personal and financial data is stored in EU regions. We do not move personal data outside the European Economic Area unless an adequacy decision applies; cross-border transfers use Standard Contractual Clauses with technical safeguards.
Read-only by default
Bank AI never moves money on your behalf. Account access is read-only via licensed Account Information Service Provider (AISP) partners. Payment Initiation is on the roadmap and will run as a separate, explicitly-authorised flow.
Strong Customer Authentication
Connections refresh under PSD2's Strong Customer Authentication (SCA) requirements - we re-prompt every 90 days exactly as the regulation requires.
Opt-in AI processing
AI insights only run on data you have explicitly enabled for AI processing. The AI does not see categories you have not turned on, and your inputs are never used to train shared models without consent.
Hardened headers + supply chain
HSTS preload, strict referrer policy, COOP/CORP isolation and a tightly-scoped Permissions-Policy on every response. Build pipeline pins all dependencies and runs SCA at every release.
Bank AI itself is not a bank. Account-data access is delivered by licensed Account Information Service Providers (AISPs) operating under PSD2 (in the EU and the UK), supervised by the relevant national competent authorities (BaFin in Germany, ACPR in France, Banca d'Italia in Italy, Banco de Espana in Spain, FCA in the UK, etc.). The licensing partners that make this possible are listed when commercial agreements allow public attribution - TODO_PARTNER_NAMES once confirmed by the team.
You can access, rectify, port and delete your data at any time. We comply with the GDPR, the UK GDPR and the EU AI Act. Bank AI never sells personal data and never trades on your information. Detailed processing purposes and lawful bases are documented in the Privacy Policy.
Bank AI follows a documented incident response plan with 24-hour internal triage targets and 72-hour notification windows aligned with GDPR Article 33. Customer-impacting incidents are communicated through email and an in-app banner. The published security disclosure policy is at /.well-known/security.txt.
If you have found a security issue, please email security@stolenorbit.com. Coordinated disclosure with researchers is welcomed - see /.well-known/security.txt for the full disclosure process.
Can Bank AI move money out of my bank account?
No. Bank AI never moves money on your behalf. Account access is read-only via licensed Account Information Service Provider (AISP) partners operating under PSD2. Payment Initiation is on the roadmap and will run as a separate, explicitly authorised flow.
Where is my data stored?
Personal and financial data is stored in EU regions by default. We do not move personal data outside the European Economic Area unless an adequacy decision applies; cross-border transfers use Standard Contractual Clauses with technical safeguards.
How is my data encrypted?
All traffic is encrypted in transit with TLS 1.2 or higher. Sensitive data at rest is encrypted with AES-256, with keys managed in EU-region KMS. Database backups are encrypted with separate keys.
Does Bank AI use my data to train AI models?
No. AI insights only run on data you have explicitly enabled for AI processing. The AI does not see categories you have not turned on, and your inputs are never used to train shared models without consent.
What happens if there is a security incident?
Bank AI follows a documented incident response plan with 24-hour internal triage targets and 72-hour notification windows aligned with GDPR Article 33. Customer-impacting incidents are communicated through email and an in-app banner. The published security disclosure policy is at /.well-known/security.txt.
How do I report a security vulnerability?
Email security@stolenorbit.com. Coordinated disclosure with researchers is welcomed - see /.well-known/security.txt for the full disclosure process.
Which regulations does Bank AI comply with?
Bank AI complies with the GDPR, the UK GDPR and the EU AI Act, and operates through AISP partners regulated under PSD2 in the EU and the UK. Strong Customer Authentication (SCA) is enforced on bank connections every 90 days as the regulation requires.