Security at Savyy
Protecting your financial data is foundational to everything we build. From infrastructure design to application logic, every layer of our platform enforces strict security controls to keep your information safe and under your control.
Built for trust
Multiple layers of defense work in concert to protect your financial data at every stage.
Savyy operates with strictly read-only permissions on your bank accounts. We cannot initiate payments, execute transfers, or modify your accounts in any way. We can only retrieve transaction data.
All data is protected using industry-standard cryptographic protocols. Data in transit is secured with TLS 1.2+, and data at rest is encrypted with AES-256. Sensitive fields use AES-256-GCM authenticated encryption.
Automatic categorization strips identifiers from transaction descriptions. Every other AI feature is off by default and receives data only after you enable it. Your data is never sold.
Authentication is powered by a battle-tested open-source framework with OAuth 2.0, email-based one-time passwords, and cryptographically signed session tokens to ensure only you can access your account.
European Infrastructure
Our platform is distributed across PlanetScale, Hetzner, and Cloudflare, all configured to operate within European regions.
All relational data is hosted on PlanetScale, a managed database platform backed by Google Cloud infrastructure in European regions, delivering high availability and horizontal scalability.
Application servers and compute workloads run on Hetzner infrastructure in Germany, providing high-performance European hosting with full data sovereignty.
Object storage and edge services are operated through Cloudflare, with data jurisdiction configured to the European Union for secure, low-latency asset delivery.
Automated encrypted backups with point-in-time recovery ensure data durability and rapid restoration across all infrastructure layers.
How we protect your data
A clear overview of the safeguards applied to your financial information.
Identifiers are stripped from transaction descriptions before automatic categorization
Beyond the AI features you enable, your financial data stays within our EU infrastructure
AI requests are processed by Anthropic and OpenAI through Vercel AI Gateway, and only after you enable AI features in the app; the one exception is instrument search, which sends only the search text you type. Automatic transaction categorization sends sanitized descriptions with identifiers removed; the assistant sends the financial data needed to answer the questions you ask it. Your name, email, and banking credentials are never transmitted.
No-Training Guarantee
Cybersecurity Assessments
Proactive security posture through continuous monitoring and independent evaluation.
We conduct regular external cybersecurity audits and penetration testing to identify and remediate vulnerabilities before they can be exploited.
Security FAQ
Answers to common questions about how we safeguard your data.
Yes. All data is encrypted with AES-256 at rest and TLS 1.2+ in transit. Sensitive fields such as IBANs and provider tokens use AES-256-GCM authenticated encryption with per-record initialization vectors.
We never sell or rent your data. We share it only with the service providers needed to run Savyy, such as our banking aggregator and payment processor. If you enable AI features, the data described in our privacy policy is processed by Anthropic and OpenAI. Automatic categorization sends transaction descriptions with identifiers removed, and none of it is used to train their models.
Upon account deletion, all personal data and financial records are permanently purged from our systems within 30 days, in accordance with our data retention policy.
We welcome responsible disclosure. If you identify a potential vulnerability or have security concerns, please contact our team and we will acknowledge your report within 24 hours.
All data is hosted within the European Union: on PlanetScale (managed database on Google Cloud, EU region), Hetzner (Germany) for application compute, and Cloudflare (EU jurisdiction) for object storage and edge delivery.
Questions about security?
Our team is available to address any security or privacy inquiries.
Have a security concern, a privacy question, or discovered a potential vulnerability? We value responsible disclosure and are committed to transparency about our security practices. We will respond within 24 hours.
Contact us