Security

Built for the bank's side of the API call.

Financial transaction data is sensitive by definition. Spendaq's security architecture starts from that premise — not as an afterthought.

Controls

What we do to protect your data

TLS 1.3 in transit

All API traffic encrypted end-to-end. TLS 1.2 accepted for legacy clients; TLS 1.0/1.1 rejected.

Isolated compute

Each customer's transaction batch processed in ephemeral isolated containers. No cross-customer data access.

Zero retention

Transaction data not stored after classification. No data lake, no training on your data. Container destroyed after response.

SOC 2 controls in progress

Designed with SOC 2 Type II controls from day one. Audit roadmap active. We'll share the report when available.

API key scoping

Fine-grained key permissions. Rotate keys without service interruption. Separate keys per environment.

Audit log API

Full request/response audit trail available via API for compliance teams. Timestamped, tamper-evident.

Data Architecture

The security data path

Client Banking App TLS 1.3 API Gateway Auth + Rate Limit Isolated Container Classify + Forecast zero data persistence ↳ destroyed after response 200 OK Response corrected categories Client Data delivered Zero retention — no transaction data stored after classification

Responsible Disclosure

Security issues?

If you discover a potential security vulnerability in Spendaq's API or infrastructure, we want to know. Please email [email protected] with details. We'll acknowledge within 24 hours and keep you informed as we investigate.

Report a security issue