Security at Lekkafy
Last updated: 1 June 2026
Your financial data is sensitive. We've built Lekkafy from the ground up with security as a first-class concern, not an afterthought. Here's exactly what we do to keep you safe.
No Bank Access
We never connect to your bank account. No credentials, no open banking, no third-party account aggregators. You enter what you choose.
Passwordless Auth
We use magic-link authentication only. No passwords are ever created, stored, or transmitted, eliminating the most common attack vector.
Encrypted at Rest
All data is encrypted at rest using industry-standard encryption, hosted on infrastructure in the EU (Ireland region).
Encrypted in Transit
All communication between your device and our servers is encrypted. Connections over plain HTTP are rejected.
Database-Level Access Control
Our database enforces per-user security policies so each user can only ever query their own data. Even a compromised query cannot leak another user's records.
EU Data Residency
Your data is stored and processed in the European Union (Ireland). We do not transfer personal data to countries without adequate protection without SCCs in place.
Authentication & Session Security
- Magic links are single-use, expire after 1 hour, and can only be used once.
- Sessions are stored as signed, tamper-evident JWT tokens with short expiry windows.
- All authentication events (sign-in, sign-out, link requests) are logged with IP address and timestamp for 90 days.
- You can sign out of your account from any device at any time.
AI Processing (Receipt & Statement Scanning)
- When you scan a receipt or import a statement, the image or text is sent to our AI processing provider over an encrypted connection for parsing only.
- Raw document files are not permanently stored on our servers. Only the structured data extracted from them is saved.
Third-Party Subprocessors
We use a minimal set of trusted subprocessors, all operating under data processing agreements:
| Role | Purpose | Data Region |
|---|---|---|
| Infrastructure provider | Database, authentication, file storage | EU (Ireland) |
| AI processing provider | Receipt and statement parsing | EU + US |
| Email delivery provider | Transactional email (magic links) | EU |
Infrastructure Security
- Production access is restricted to authorised personnel via MFA-protected accounts.
- All environment variables and secrets are stored in a dedicated secrets manager, never in source code.
- Dependencies are monitored for known vulnerabilities and updated regularly.
- Automatic backups are performed daily with point-in-time recovery.
Responsible Disclosure
We take vulnerability reports seriously. If you discover a security issue in Lekkafy, please disclose it responsibly:
Security contact: support@lekkafy.com
Please include: description of the issue, steps to reproduce, potential impact, and your contact details. We aim to respond within 72 hours and will keep you updated on our remediation progress.
We ask that you do not publicly disclose the issue until we have had reasonable time to address it.
Your Security Controls
You have direct control over your security posture:
- Delete your account and all associated data at any time from Settings → Security.
- Review and revoke active sessions (coming soon).
- Export all your data on request. Email support@lekkafy.com.