Skip to content
Security & data handling

Built like your clients' bank data depends on it — because it does

The short version: clients authenticate directly with their bank, so credentials never touch StatementFlow. Access tokens are AES-256-GCM encrypted at rest, every statement download is SHA-256 hash-verified, sensitive actions require passkey step-up, access is role-gated, and every action is logged. Files land in your firm's own Drive.

This page describes the actual implementation — the same one we trust with Scale CPA's own client base — not aspirations. Written security documentation is available to firms on request.

Controls

Nine controls that do the heavy lifting

Credentials never touch us

Clients authenticate at the bank through Plaid Link or Mastercard Open Banking Connect. The system receives a scoped access token — never a username or password.

AES-256-GCM encryption at rest

Every access token and source credential is envelope-encrypted with AES-256-GCM before storage, and the database itself is encrypted at rest.

SHA-256 verified documents

Each downloaded statement is hash-verified, giving you an evidence-grade record that the file on disk is exactly what the bank served.

Signature-verified webhooks

Inbound bank-provider webhooks are cryptographically verified before anything is processed — spoofed callbacks are dropped.

Passkey step-up (WebAuthn)

Sensitive actions — like initiating a bank connection — require phishing-resistant passkey confirmation on top of normal sign-in.

Role-based access control

Admin, manager, and staff roles gate who can add, refresh, reconnect, or remove connections. View/download rights are separate from control rights.

Activity log & job timelines

Administrative actions and every statement job (requested → fetched → verified → filed) are recorded with actor and timestamp.

No vendor lock-in on records

Statements route into your own Google Drive as they arrive. Your archive is portable by design, not by export ticket.

Built for failure, loudly

Retries with backoff, dual bank-data providers, and alerting on anything stuck — failures surface to your team instead of silently leaving gaps.

Data handling

What we access — and what we can't

The system accesses
  • Official statement PDFs as the bank publishes them
  • Account metadata needed to file them (institution, account mask, dates)
  • Connection health signals (needs re-auth, fetch failed)
The system cannot
  • Move money, pay bills, or initiate transfers of any kind
  • See or store client banking credentials
  • Change anything at the bank — access is data-only

Infrastructure partners

Bank connectivity is provided by Plaid and Mastercard Open Banking (Finicity) — regulated, audited aggregators that power much of US fintech. Statement files are routed to your firm's own Google Drive.

Documentation & disclosure

Our written information-security policy, data-retention & deletion policy, and at-rest encryption verification are available to firms under evaluation — ask and we'll share them. Formal SOC 2 certification is on the roadmap as the platform scales; we'd rather show you real controls today than a badge tomorrow.

Found a vulnerability? Email security@example.com — reports are read by the people who wrote the code.

Security questions firms ask

Is it safe to connect client bank accounts through Plaid?
Yes — this is the same aggregation infrastructure used across mainstream fintech. The client authenticates directly with their bank (often via the bank’s own OAuth page); the firm and the software never see credentials. Access is data-only: statement documents and account metadata, with no ability to move money.
What exactly can StatementFlow see and do?
It can retrieve statement PDFs and the account metadata needed to organize them (institution, account mask, statement dates). It cannot initiate payments, transfers, or any account change — the connection is read-only by design.
Where do the statement files live?
In your firm’s own Google Drive, under your organization’s control and retention rules, plus operational copies the system needs to verify and serve them. You are never locked out of your own archive.
What happens to data if we stop using the product?
Your Drive files are already yours. Connection tokens are revoked and stored data is removed per our written data-retention and deletion policy — available to any firm on request, along with our information-security policy.
Do clients have to share their online banking password with my firm?
No — and they never should. Credential-sharing (or worse, emailing statements and passwords around) is exactly the risk this replaces. The client signs in at the bank; the firm receives verified documents, not credentials.

Security review? Bring your checklist.

Early-access firms get our security documentation and a direct line to the builder — not a sales engineer reading a wiki.

Get early access