'%20fill='%23171717'%3e%3cpath%20clip-rule='evenodd'%20d='m122.333%20203.667h-40.6663c-38.3385%200-57.5128%200-69.418-11.916-11.90516-11.915-11.915326-31.079-11.915326-69.418v-40.6663c0-38.3385-.000001-57.5128%2011.915326-69.418%2011.9153-11.90516%2031.1812-11.915326%2069.723-11.915326%206.161%200%2011.0918%200%2015.25.172833-.1355.813333-.2033%201.640223-.2033%202.480663l-.1017%2028.81233c0%2011.1528%200%2021.0145%201.0675%2028.9547%201.159%208.6111%203.8128%2017.2223%2010.8478%2024.2576%207.015%207.015%2015.636%209.6787%2024.248%2010.8377%207.94%201.0675%2017.801%201.0675%2028.954%201.0675h41.196c.437%205.4293.437%2012.0983.437%2020.9743v4.442c0%2038.339%200%2057.513-11.916%2069.418-11.915%2011.906-31.079%2011.916-69.418%2011.916z'%20fill-rule='evenodd'/%3e%3cpath%20d='m176.745%2057.4396-40.26-36.2239c-11.458-10.3191-17.181-15.48381-24.227-18.17798l-.091%2027.79568c0%2023.9628%200%2035.9493%207.442%2043.3913s19.428%207.442%2043.391%207.442h36.397c-3.681-7.1573-10.289-13.0946-22.652-24.2271z'/%3e%3c/g%3e%3c/svg%3e){kind=small}
'%20fill='%23fafafa'%3e%3cpath%20clip-rule='evenodd'%20d='m122.333%20203.667h-40.6663c-38.3385%200-57.5128%200-69.418-11.916-11.90516-11.915-11.915326-31.079-11.915326-69.418v-40.6663c0-38.3385-.000001-57.5128%2011.915326-69.418%2011.9153-11.90516%2031.1812-11.915326%2069.723-11.915326%206.161%200%2011.0918%200%2015.25.172833-.1355.813333-.2033%201.640223-.2033%202.480663l-.1017%2028.81233c0%2011.1528%200%2021.0145%201.0675%2028.9547%201.159%208.6111%203.8128%2017.2223%2010.8478%2024.2576%207.015%207.015%2015.636%209.6787%2024.248%2010.8377%207.94%201.0675%2017.801%201.0675%2028.954%201.0675h41.196c.437%205.4293.437%2012.0983.437%2020.9743v4.442c0%2038.339%200%2057.513-11.916%2069.418-11.915%2011.906-31.079%2011.916-69.418%2011.916z'%20fill-rule='evenodd'/%3e%3cpath%20d='m176.745%2057.4396-40.26-36.2239c-11.458-10.3191-17.181-15.48381-24.227-18.17798l-.091%2027.79568c0%2023.9628%200%2035.9493%207.442%2043.3913s19.428%207.442%2043.391%207.442h36.397c-3.681-7.1573-10.289-13.0946-22.652-24.2271z'/%3e%3c/g%3e%3c/svg%3e){kind=small}
Bank PDF Converter implements security controls aligned with SOC 2 Trust Services Criteria. Our infrastructure providers (Cloudflare and Convex) are SOC 2 Type 2 certified. Formal SOC 2 certification for Bank PDF Converter is on our roadmap.
The short version: Your bank statements are encrypted in transit and at rest, automatically deleted based on your chosen retention period (default: 3 days), and processed securely on enterprise-grade infrastructure.
Infrastructure
We run on Cloudflare and Convex, both of which hold SOC 2 Type 2 certifications. This means independent auditors have verified their security controls meet rigorous standards for protecting customer data.
All data is processed and stored in the United States. Our infrastructure includes:
- DDoS protection at the network level via Cloudflare
- Physical security controls and 24/7 monitoring at data centers
- Redundant systems for availability
Data Protection
Encryption
All connections to Bank PDF Converter use HTTPS with TLS encryption. We do not support unencrypted HTTP connections.
Data at rest—including your uploaded bank statements and converted files—is encrypted using AES-256 encryption.
Automatic Deletion
Your files are automatically deleted after your chosen retention period. The default is 3 days, but you can configure this anywhere from 1 to 180 days in your dashboard settings.
You can also delete any file manually at any time from your dashboard—no waiting required.
What We Don't Do
- We don't sell your data
- We don't share your data with third parties for marketing
For full details, see our Privacy Policy.
Application Security
Authentication
We use secure, OAuth-based authentication. Sessions are managed with HTTP-only cookies that cannot be accessed by client-side scripts.
Access Controls
Every request to access your data requires authentication. Users can only see and download their own files. There are no shared accounts or team features that could inadvertently expose your data to others.
Rate Limiting
API endpoints are rate-limited to prevent abuse and protect against denial-of-service attacks.
Input Validation
All form inputs are validated and sanitized. State-changing operations include CSRF protection to prevent cross-site request forgery.
Payments
We never see or store your credit card information. All payment processing is handled by Polar, which is powered by Stripe. Stripe is PCI-DSS Level 1 certified—the highest level of certification in the payments industry.
Incident Response
If we ever discover a security incident that affects your data, we will:
- Investigate and contain the issue as quickly as possible
- Notify affected users and relevant authorities as required by law
- Provide clear guidance on any steps you should take
Reporting Security Issues
Please reach out via our support chat and we'll work to address it.
Questions?
If you have questions about our security practices, contact us.