Home » Security

Security

Bank statements are sensitive. Here is exactly what happens to yours.

The one-line summary: your PDF is encrypted in transit, processed in memory, and never written to durable storage. It is gone the moment your Excel comes back.

Data in transit

All traffic to the Bank2XL API uses TLS 1.2 or 1.3 (HTTPS).
Certificate provisioning and TLS termination are managed by Cloudflare; we don't operate our own private keys at the edge.
The Chrome extension only talks to https://api.bank2xl.app. It declares no other host permissions.

Data at rest

Your uploaded PDF is never written to disk. The API receives the upload in a request body, holds the bytes in memory, hands them to the extraction pipeline, and discards them once the result is returned.
Generated Excel and CSV files are returned directly to your browser. There is no "history" stored on our servers tied to your statement content.
Account metadata (email, plan tier, Stripe customer ID) is stored in a Postgres database protected by TLS and standard authentication.

AI providers

We use third-party models for OCR and extraction. We pick providers whose terms forbid training on customer content:

Provider	Role	Retention
OpenRouter	LLM gateway	Passes content to upstream; no retention
Google Gemini (via OpenRouter)	Vision extraction	Per Google API terms: no training, no retention beyond serving the request
Datalab (Chandra OCR)	OCR for scanned PDFs	Per Datalab API terms: no retention, no training

What we log

We record service-health and abuse-prevention telemetry only. None of it includes file content.

Timestamps of conversions
Page counts and file sizes
Success / failure status and reconciliation status
Truncated IP (first three octets, last masked) for rate-limiting

Chrome extension permissions

Permission	Why
`storage`	Remember settings, the free-tier counter, and the last 5 recent conversion records (job IDs only) on your device.
`downloads`	Save the converted Excel to your Downloads folder.
Host: `https://api.bank2xl.app/*`	The only network destination the extension is allowed to contact.

The extension does NOT request access to your browsing history, any banking websites, or "all sites". It only acts on files you explicitly hand it.

Operational security

Two-factor authentication on all production accounts.
Production secrets are kept in environment variables, never in source control.
Service worker code is open for inspection: download the extension and read background.js; it is unobfuscated vanilla JS.

What we can't promise

We use industry-standard practices, but no system is unbreakable. If your statement is so sensitive that you would not upload it to any cloud SaaS, please don't upload it to Bank2XL either. If you are a regulated entity (financial advisor, healthcare org with statements containing PHI, etc.) we are happy to discuss an on-premise build — reach out at [email protected].

Reporting a vulnerability

Email [email protected]. We respond within 72 hours. We do not yet have a formal bug bounty program, but we appreciate disclosure and will credit you publicly with your permission.

Join the waitlist Retention policy Privacy Policy