Skip to content
Security

Security and data handling

StatementStudio handles financial documents, so this page lists the controls currently behind the hosted service.

Last updated: 10 July 2026 · Hosted service

Hosted processing

Statements are processed by the hosted service. The browser does not receive storage credentials or privileged service credentials.

In transit

All traffic is served over HTTPS, with HTTP redirected to HTTPS and HTTP Strict Transport Security enabled. Public pages carry a conservative Content-Security-Policy and standard hardening headers (nosniff, frame protection, and a referrer policy).

Scoped job and account access

Each upload creates an anonymous job with its own scoped access token. One job cannot read another job’s source, data, or exports. If you later create and verify an account, the account can access only jobs explicitly linked to it while those jobs remain live. The original job token remains valid until deletion or expiry; an account claim does not turn the job into permanent history.

Account authentication

Account sessions use secure, HTTP-only, same-site cookies backed by server-side session records. Passwords are stored as one-way credential hashes rather than readable text. Email verification is required before account allowance is activated. Optional authenticator-based two-factor authentication uses single-use backup codes and does not provide a trusted-device bypass.

Private storage and source handling

The uploaded PDF, its source view, the extracted data, and any exports are kept in private storage scoped to the job. The original PDF is never altered, and no transaction or monetary value is invented during extraction.

Protected sensitive routes

Job, review, source, export, account, authentication, and API responses are set not to be indexed and not to be stored by shared browser or intermediary caches. They use a no-referrer policy. Job and review routes do not load third-party behavioural analytics or trackers.

Service access

Public access is limited to the product actions on the site: upload, review, source view, export, and delete. Internal service tools are not part of the public product.

Verified deletion

When you delete a job, the service revokes its access, deletes the stored source view, extracted data, and exports, and leaves only a content-free record that the job is gone. Deleted content cannot be recovered. Jobs are also configured to expire automatically; the exact expiry window is published here once it is operationally verified.

Abuse limits

Anonymous uploads are subject to per-session abuse limits so the service cannot be trivially overrun. Account email and reward actions use content-free velocity counters and may require a challenge after repeated requests. A challenge on an account action never blocks the first anonymous conversion. Rate limiting does not treat a network address as proof of identity.

Logging boundaries

Operational logs record safe technical metadata only. Statement contents, account numbers, names, descriptions, amounts, access tokens, and storage locations are not written to logs.

Current limits

We do not claim any security certification or compliance attestation, and we avoid security marketing superlatives. We do not publish a model-use or data-handling guarantee for extraction providers on this page. When those facts are ready to state plainly, this page will say so.

See Privacy for what is collected and Terms for the conditions of use.