Security & Data Handling
Written for your compliance team.
This page describes exactly how Sorae handles bank statement data: what we process, what we keep, what we never keep, and who our sub-processors are. If your due-diligence checklist needs something that isn't answered here, ask us directly.
Data lifecycle
What happens to a statement, start to finish.
01 · Upload
A bank statement PDF is submitted over TLS via the dashboard or the REST API, authenticated with a scoped API key.
02 · In-memory analysis
The PDF is parsed and analysed in memory. The document itself is never written to disk or object storage at any point in the pipeline.
03 · Document disposal
Once analysis completes, the PDF and extracted raw text are discarded. There is no queue, cache, or backup that retains the original document.
04 · Result retention
The structured analysis result (income figures, expense breakdown, risk flags, transaction ledger) is stored against your account so reports can be reopened from your dashboard. It is accessible only to your account and is removed when your account is deleted.
In short: the document is never retained; the derived result is retained under your account's control so that reports remain reopenable and auditable.
Controls
Technical measures in place.
No document retention
Statement PDFs and raw extracted text are processed in memory only and discarded after analysis completes.
Scoped API keys
API access is authenticated per key. Keys can be created, labelled, and revoked from the dashboard at any time.
Encryption in transit
All traffic — dashboard, API, and internal service calls — runs over TLS. Data at rest is encrypted by the underlying database provider.
Account-scoped access
Stored analysis results are queryable only by the account that created them. There is no cross-tenant access path.
Sub-processors
Third parties that touch data on our behalf.
Each sub-processor is used for a specific, limited purpose. None of them receives the original statement PDF.
Supabase
Authentication, account data, credit balances, and stored analysis results (PostgreSQL).
PayFast
Payment processing for credit packs. Sorae never sees or stores card details — PCI DSS scope sits entirely with PayFast.
Resend
Transactional email — signup verification, password resets, billing notifications, and contact-form delivery.
AI model providers
Generation of the plain-language analyst summary from the structured analysis output.
POPIA
Sorae operates as an operator under POPIA, processing personal information on the instruction of the responsible party (you). Our privacy policy and PAIA manual cover the formal detail.