Built like your clients' bank data depends on it — because it does
The short version: clients authenticate directly with their bank, so credentials never touch StatementFlow. Access tokens are AES-256-GCM encrypted at rest, every statement download is SHA-256 hash-verified, sensitive actions require passkey step-up, access is role-gated, and every action is logged. Files land in your firm's own Drive.
This page describes the actual implementation — the same one we trust with Scale CPA's own client base — not aspirations. Written security documentation is available to firms on request.
Nine controls that do the heavy lifting
Credentials never touch us
Clients authenticate at the bank through Plaid Link or Mastercard Open Banking Connect. The system receives a scoped access token — never a username or password.
AES-256-GCM encryption at rest
Every access token and source credential is envelope-encrypted with AES-256-GCM before storage, and the database itself is encrypted at rest.
SHA-256 verified documents
Each downloaded statement is hash-verified, giving you an evidence-grade record that the file on disk is exactly what the bank served.
Signature-verified webhooks
Inbound bank-provider webhooks are cryptographically verified before anything is processed — spoofed callbacks are dropped.
Passkey step-up (WebAuthn)
Sensitive actions — like initiating a bank connection — require phishing-resistant passkey confirmation on top of normal sign-in.
Role-based access control
Admin, manager, and staff roles gate who can add, refresh, reconnect, or remove connections. View/download rights are separate from control rights.
Activity log & job timelines
Administrative actions and every statement job (requested → fetched → verified → filed) are recorded with actor and timestamp.
No vendor lock-in on records
Statements route into your own Google Drive as they arrive. Your archive is portable by design, not by export ticket.
Built for failure, loudly
Retries with backoff, dual bank-data providers, and alerting on anything stuck — failures surface to your team instead of silently leaving gaps.
What we access — and what we can't
- Official statement PDFs as the bank publishes them
- Account metadata needed to file them (institution, account mask, dates)
- Connection health signals (needs re-auth, fetch failed)
- Move money, pay bills, or initiate transfers of any kind
- See or store client banking credentials
- Change anything at the bank — access is data-only
Infrastructure partners
Bank connectivity is provided by Plaid and Mastercard Open Banking (Finicity) — regulated, audited aggregators that power much of US fintech. Statement files are routed to your firm's own Google Drive.
Documentation & disclosure
Our written information-security policy, data-retention & deletion policy, and at-rest encryption verification are available to firms under evaluation — ask and we'll share them. Formal SOC 2 certification is on the roadmap as the platform scales; we'd rather show you real controls today than a badge tomorrow.
Found a vulnerability? Email security@example.com — reports are read by the people who wrote the code.
Security questions firms ask
Is it safe to connect client bank accounts through Plaid?
What exactly can StatementFlow see and do?
Where do the statement files live?
What happens to data if we stop using the product?
Do clients have to share their online banking password with my firm?
Security review? Bring your checklist.
Early-access firms get our security documentation and a direct line to the builder — not a sales engineer reading a wiki.