Access and consent
Bank data access starts only after user authorization via TrueLayer. OAuth state handling is implemented server-side for callback validation.
← Back to home
Security & Compliance
Current security posture
The controls below describe what is currently implemented in this codebase and where additional compliance work is still required.
Data transit and integrations
Open Banking calls and AI summary generation use HTTPS APIs. Integrations are configured through environment variables and server-side endpoints.
Scoped AI usage
Lendability summaries are generated from a sanitized payload rather than raw transaction-level records in the OpenAI call path.
Application data persistence
Submitted application snapshots are stored in browser localStorage in the current build. This is suitable for demo workflows, not regulated production storage.
Server-side temporary stores
TrueLayer tokens and account metadata are kept in in-memory Maps during runtime. This is ephemeral and resets on process restart.
Operational hardening status
No production-grade KMS, audit pipeline, SIEM integration, or formal retention enforcement is implemented in this repository version.
Compliance note
This implementation should be treated as pre-production from a compliance perspective. Before live rollout, complete DPIA, formal data-retention policies, penetration testing, secrets governance, and legal/regulatory sign-off.