Security and data handling
StatementStudio handles financial documents, so this page lists the controls currently behind the hosted service.
Last updated: 10 July 2026 · Hosted service
Hosted processing
Statements are processed by the hosted service. The browser does not receive storage credentials or privileged service credentials.
In transit
All traffic is served over HTTPS, with HTTP redirected to HTTPS and HTTP Strict Transport Security enabled. Public pages carry a conservative Content-Security-Policy and standard hardening headers (nosniff, frame protection, and a referrer policy).
Scoped job and account access
Each upload creates an anonymous job with its own scoped access token. One job cannot read another job’s source, data, or exports. If you later create and verify an account, the account can access only jobs explicitly linked to it while those jobs remain live. The original job token remains valid until deletion or expiry; an account claim does not turn the job into permanent history.
Account authentication
Account sessions use secure, HTTP-only, same-site cookies backed by server-side session records. Passwords are stored as one-way credential hashes rather than readable text. Email verification is required before account allowance is activated. Optional authenticator-based two-factor authentication uses single-use backup codes and does not provide a trusted-device bypass.
Private storage and source handling
The uploaded PDF, its source view, the extracted data, and any exports are kept in private storage scoped to the job. The original PDF is never altered, and no transaction or monetary value is invented during extraction.
Protected sensitive routes
Job, review, source, export, account, authentication, and API responses are set not to be indexed and not to be stored by shared browser or intermediary caches. They use a no-referrer policy. Job and review routes do not load third-party behavioural analytics or trackers.
Service access
Public access is limited to the product actions on the site: upload, review, source view, export, and delete. Internal service tools are not part of the public product.
Verified deletion
When you delete a job, the service revokes its access, deletes the stored source view, extracted data, and exports, and leaves only a content-free record that the job is gone. Deleted content cannot be recovered. Jobs are also configured to expire automatically; the exact expiry window is published here once it is operationally verified.
Abuse limits
Anonymous uploads are subject to per-session abuse limits so the service cannot be trivially overrun. Account email and reward actions use content-free velocity counters and may require a challenge after repeated requests. A challenge on an account action never blocks the first anonymous conversion. Rate limiting does not treat a network address as proof of identity.
Logging boundaries
Operational logs record safe technical metadata only. Statement contents, account numbers, names, descriptions, amounts, access tokens, and storage locations are not written to logs.
Current limits
We do not claim any security certification or compliance attestation, and we avoid security marketing superlatives. We do not publish a model-use or data-handling guarantee for extraction providers on this page. When those facts are ready to state plainly, this page will say so.
See Privacy for what is collected and Terms for the conditions of use.