Security and GDPR
Accounting holds sensitive data: revenue, expenses, customers, suppliers and bank movements. Aikount is designed to handle that information with GDPR safeguards and to never ask you for more access than strictly necessary.
EU hosting
Your data is hosted in the European Union, within the framework of the General Data Protection Regulation (GDPR). We don't move your books outside the EU to operate them.
PSD2 bank connection: we never see your credentials
The connection to your bank always goes through regulated open-banking providers (PSD2) —Ponto Connect, Salt Edge and GoCardless—, not directly against the bank.
- Aikount never sees or stores your bank username and password. You authenticate in the regulated provider's or the bank's own environment.
- Access is read-only: Aikount reads movements and balances, it cannot move money.
- You can revoke access whenever you want from the provider or from Aikount.
For the connection details, see Connect your bank (PSD2).
Aikount doesn't need —or ask for— your online banking login. If any tool asks you for it directly, be suspicious.
Multi-tenant isolation
Each company is an isolated workspace (tenant). Every data query is scoped to the company it belongs to, so one company's data is not accessible from another. When you invite someone, they only reach the specific company you granted them access to (see Team and roles).
Encrypted integration secrets
Your integration credentials (for example, the keys to connect Stripe, PayPal or the bank providers) are stored encrypted at rest. They're not shown in clear text or exposed once configured.
Good practices on your side
- Give each person the minimum role they need (read-only vs. edit).
- Revoke access for anyone who leaves the team or the firm.
- Treat your API keys (
agl_) like passwords: don't share or publish them. - Revoke any bank access or key you no longer use.
Contact
For any privacy, security or GDPR rights request, write to us at [email protected].
Related
- Connect your bank (PSD2) — how the regulated connection works.
- Team and roles — permissions and per-company isolation.
- Authentication and API keys — how
agl_keys are created and revoked.