Security & Compliance

Last updated: March 2026

This page summarizes the technical and regulatory measures we take to protect your data in Spendable. It is intended to give a clear, verifiable picture of our current security posture during the closed beta. It is not a substitute for the Privacy Policy, Terms of Service, or Cookie Policy.

1. Bank Connections (PSD2)

For the closed beta we rely on Salt Edge Limited, a licensed Account Information Service Provider authorized by the UK Financial Conduct Authority (reference number 822499) and ISO 27001 certified. Salt Edge operates under PSD2 and connects to your bank exclusively through bank-sanctioned APIs, using delegated authentication (SCA) on the bank's own screens.

• We never see or store your banking credentials.
• Connections are strictly read-only: balances and transactions only. Payment initiation is not enabled.
• SCA (Strong Customer Authentication) is performed directly by your bank, in line with Art. 97 PSD2 and Commission Delegated Regulation 2018/389 (RTS).
• Additional open-banking providers such as Plaid are planned as we move beyond the closed beta for broader geographic coverage.

2. Crypto-Asset Tracking (MiCA posture)

Spendable provides read-only crypto-asset tracking. We do not hold, custody, trade, or execute orders on crypto-assets, and we do not offer advice on crypto-assets. Our activity therefore falls outside the ten exhaustive crypto-asset services listed in Art. 3(1)(16) of Regulation (EU) 2023/1114 (MiCA), and no CASP authorization is required. Crypto-asset values are highly volatile; displayed prices are indicative only and do not constitute investment advice.

3. Encryption

• In transit: TLS 1.3 end-to-end across the website, mobile app, and all API connections. HSTS enforced with preload.
• At rest: AES-256 on Firebase-managed data stores (Google Cloud default encryption with key rotation).
• Secrets management: API keys and service credentials live exclusively in server-side environment variables on Vercel and are never exposed to the browser.

4. Authentication and Access

• Firebase Authentication with email/password, Sign in with Apple, and Sign in with Google (OAuth 2.0).
• Email verification is required before access to the paid product is activated.
• Tokens are short-lived and rotated automatically by Firebase.
• Server-side entitlement verification against RevenueCat prevents client-side tampering with the paid state.

5. Infrastructure

The Spendable website and its API routes run on Vercel (SOC 2 Type II, ISO 27001, ISO 27701 at the platform level). Firebase (Google Cloud) hosts authentication and application data under Google's SOC 2 / ISO 27001 / ISO 27017 / ISO 27018 program. Cloudflare sits in front of the site for DDoS protection and bot management. We rely on these platforms' inherited controls; Spendable itself is not yet SOC 2 audited, and we never claim otherwise.

6. Sub-processors and Data Transfers

The full list of sub-processors, including their purpose and location, is published on a dedicated page and kept in sync with our Privacy Policy.

View the sub-processor list →

International transfers outside the EEA (primarily to the United States) rely on the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914/EU) and, where applicable, the EU-US Data Privacy Framework Adequacy Decision of 10 July 2023.

7. AI Processing

Where you use AI features, the minimum necessary input is sent to our AI providers (OpenAI and Anthropic). We do not transmit identifiers such as name, email, IBAN, card numbers, or authentication credentials. Both providers contractually commit not to use API data to train their models. You can disable AI features in your account settings.

8. Operational Security

• Least-privilege access to production: service accounts scoped per integration (Firebase, RevenueCat, OneSignal, Google Sheets).
• Rate limiting on all public API routes (sign-up, verification, promo validation, user creation) to mitigate brute-force and abuse.
• Server-side input validation with Zod on all API routes.
• Timing-safe comparisons for promo-code validation to prevent side-channel leaks.
• Dependency updates and automatic security advisories via the Next.js and GitHub toolchain.

9. Personal-Data Breach Notification

In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk, we will also inform affected users under Art. 34 GDPR in clear and plain language.

10. Responsible Disclosure

If you believe you have found a security vulnerability in Spendable, please report it privately to security@spendable.pro. We commit to:

• Acknowledge receipt within 3 business days.
• Keep you updated on triage and remediation timelines.
• Not pursue legal action against researchers acting in good faith, avoiding data access beyond what is strictly needed to demonstrate the issue, and not disclosing the issue publicly before coordinated disclosure.

We do not currently run a paid bug-bounty program, but we publicly credit researchers who ask for recognition.

11. Beta Status Disclosure

Spendable is offered as a closed beta via Apple TestFlight. The service is actively evolving, features may change, and occasional interruptions are possible. Security controls are reviewed continuously and will be hardened further as we move beyond the beta.

12. Contact

Security questions and responsible-disclosure reports: security@spendable.pro. Privacy-related requests: hello@spendable.pro.