Security at Savyy
Protecting your financial data is foundational to everything we build. From infrastructure design to application logic, every layer of our platform enforces strict security controls to keep your information safe and under your control.
Built for trust
Multiple layers of defense work in concert to protect your financial data at every stage.
Savyy operates with strictly read-only permissions on your bank accounts. We cannot initiate payments, execute transfers, or modify your accounts in any way — we can only retrieve transaction data.
All data is protected using industry-standard cryptographic protocols. Data in transit is secured with TLS 1.2+, and data at rest is encrypted with AES-256. Sensitive fields use AES-256-GCM authenticated encryption.
Personal information is stripped and anonymized before any analytical or AI processing. We never sell, share, or expose your raw financial data to third parties.
Authentication is powered by a battle-tested open-source framework with OAuth 2.0, email-based one-time passwords, and cryptographically signed session tokens to ensure only you can access your account.
European Infrastructure
Our platform is distributed across PlanetScale, Hetzner, and Cloudflare — all configured to operate within European regions.
All relational data is hosted on PlanetScale, a managed database platform backed by Google Cloud infrastructure in European regions, delivering enterprise-grade availability and horizontal scalability.
Application servers and compute workloads run on Hetzner infrastructure in Germany, providing high-performance European hosting with full data sovereignty.
Object storage and edge services are operated through Cloudflare, with data jurisdiction configured to the European Union for secure, low-latency asset delivery.
Automated encrypted backups with point-in-time recovery ensure data durability and rapid restoration across all infrastructure layers.
How we protect your data
A clear overview of the safeguards applied to your financial information.
All personal information is anonymized before any analytical or AI processing
Your raw financial data never leaves our secured infrastructure perimeter
When AI is used to categorize transactions, only anonymized, non-identifiable data is transmitted — never your personal information, account numbers, or raw transaction details.
No-Training Guarantee
Cybersecurity Assessments
Proactive security posture through continuous monitoring and independent evaluation.
We conduct regular external cybersecurity audits and penetration testing to identify and remediate vulnerabilities before they can be exploited.
Security FAQ
Answers to common questions about how we safeguard your data.
Yes. All data is encrypted with AES-256 at rest and TLS 1.2+ in transit. Sensitive fields such as IBANs and provider tokens use AES-256-GCM authenticated encryption with per-record initialization vectors.
No. We never sell, rent, or share your personal financial data. The only external processing involves anonymized transaction metadata sent to AI models for categorization — no personally identifiable information is ever included.
Upon account deletion, all personal data and financial records are permanently purged from our systems within 30 days, in accordance with our data retention policy.
We welcome responsible disclosure. If you identify a potential vulnerability or have security concerns, please contact our team and we will acknowledge your report within 24 hours.
All data is hosted within the European Union — on PlanetScale (managed database on Google Cloud, EU region), Hetzner (Germany) for application compute, and Cloudflare (EU jurisdiction) for object storage and edge delivery.
Questions about security?
Our team is available to address any security or privacy inquiries.
Have a security concern, a privacy question, or discovered a potential vulnerability? We value responsible disclosure and are committed to transparency about our security practices. We will respond within 24 hours.
Contact us