Legal

Security

Last updated: 22 May 2026

How we protect your data

• Transport encryption. Every request between your browser and our servers uses HTTPS.
• At rest. The database is encrypted at rest by the managed provider.
• Authentication. Password hashes use bcrypt with per-user salt. JWT bearer tokens are short-lived; refresh tokens rotate.
• Per-user isolation. Every API query is scoped to the authenticated user. Team and organisation data is enforced at the query layer.

What we never store

• The uploaded statement file itself — only the parsed rows.
• Your bank login credentials. We never ask for them; we only read statements you upload.
• Full card numbers or CVCs.

Reporting a vulnerability

If you believe you've found a security issue, please email security@ledgers.app with a description, steps to reproduce, and any proof-of-concept. We respond within 48 hours and credit responsible disclosure reporters by name on this page (with permission).

Status

Operational updates and historical incidents are published on our status page (linked from the footer once available).