Security

Your data, protected

Voldier™ is financial operations software built on bank-verified data, not a financial institution. We protect collections, payment matching, contract, and cash workflow data with read-only access and strict storage limits.

What Voldier never stores

Bank login credentials

No usernames, passwords, PINs, or any banking credentials. Ever.

Account balances

We do not store your online banking credentials or use your connection to initiate transfers.

Full bank statements

We do not retain full statements indefinitely. We use only the transaction data needed for reconciliation and audit history.

Raw email content

Email bodies are discarded after parsing. Only structured fields (amount, sender, date) are retained.

What we do store

Structured payment data — transaction details from verified bank connections: sender name, amount, date, time, memo, and account metadata needed to match payments to invoices.

Invoice records — the open invoices you create or import, along with their status (unpaid, matched, exported).

Account information — your business name, email address, and billing information for your subscription. Standard SaaS account data.

TLS encryption in transit

All data transmitted between your browser, email parser, and our servers is encrypted with TLS.

Encrypted at rest

Stored data is encrypted at rest with enterprise-grade encryption. Physical server access does not expose data in plaintext.

Immutable audit logs

Every operation is logged with a timestamp. Complete traceability for security review and fraud prevention.

Compliance posture — software, not a financial institution

Voldier is classified under NACE Rev. 2 codes 62.01 / 63.11 (Computer programming and Data processing). We process workflow and reconciliation data, not funds:

What Voldier IS

  • Financial operations software
  • GDPR Data Controller (Voldier Limited, Ireland)
  • Bank-data consumer via licensed PSD2 AISPs

What Voldier is NOT

  • A Payment Institution under PSD2
  • A credit institution under CRD IV
  • A debt-collection agency

Voldier does not transmit, hold, or facilitate the transfer of funds. All financial transactions occur directly between your customers, their banks, and licensed payment service providers.

Regulatory frameworks

  • GDPR — Regulation (EU) 2016/679
  • ePrivacy Directive 2002/58/EC
  • PSD2 — Directive (EU) 2015/2366
  • DORA — Regulation (EU) 2022/2554
  • NIS2 — Directive (EU) 2022/2555

Security controls

  • SOC 2 Type II — working towards certification (2026 roadmap)
  • ISO/IEC 27001 control set (certification on roadmap)
  • ISO/IEC 27701 privacy extension (planned)
  • GDPR Art. 32 technical and organisational measures
  • DORA-aligned ICT risk management
  • 72-hour breach notification (GDPR Art. 33)
  • Hash-chained immutable ledger — every financial write signed into the journal

Lead supervisory authority for data protection: Irish Data Protection Commission (DPC)dataprotection.ie. Data Protection Officer: [email protected].

Platform technical guarantees

Voldier builds on auditable primitives. These defenses are live in production today:

Capital sandbox: Every installed skill declares an explicit whitelist of ledger chains + GL accounts it can touch. Fail-closed by design.
Skill signing: Manifests signed with ed25519 over canonical JSON. The platform rejects skills without valid publisher signature.
Hash-chained journal: Each ledger entry chains to the previous via SHA-256. Tamper-evident audit, deterministic replay.
Permission tiers: Actions classified Safe / Caution / Dangerous. Dangerous actions require explicit authorization per skill.

Security FAQ

Does Voldier store my bank login?

No. Voldier never asks for or stores online banking usernames or passwords. Bank connections stay read-only throughout the reconciliation workflow.

What happens to emails after they're processed?

The raw email body is discarded after the structured fields are extracted. We retain only: sender name, amount, date, and reference. Nothing else.

Is my dedicated inbox secure?

Yes. Your dedicated inbox is receive-only. It cannot send emails. Access is restricted to the Voldier parser. All communication is encrypted with TLS.

Can I delete my data?

Yes. Contact [email protected] with your deletion request. We'll respond within 30 days.