sorae.
ProductPricingDocsAboutContact

Security & Data Handling

Written for your compliance team.

This page describes exactly how Sorae handles bank statement data: what we process, what we keep, what we never keep, and who our sub-processors are. If your due-diligence checklist needs something that isn't answered here, ask us directly.

Data lifecycle

What happens to a statement, start to finish.

01 · Upload

A bank statement PDF is submitted over TLS via the dashboard or the REST API, authenticated with a scoped API key.

02 · In-memory analysis

The PDF is parsed and analysed in memory. The document itself is never written to disk or object storage at any point in the pipeline.

03 · Document disposal

Once analysis completes, the PDF and extracted raw text are discarded. There is no queue, cache, or backup that retains the original document.

04 · Result retention

The structured analysis result (income figures, expense breakdown, risk flags, transaction ledger) is stored against your account so reports can be reopened from your dashboard. It is accessible only to your account and is removed when your account is deleted.

In short: the document is never retained; the derived result is retained under your account's control so that reports remain reopenable and auditable.

Controls

Technical measures in place.

No document retention

Statement PDFs and raw extracted text are processed in memory only and discarded after analysis completes.

Scoped API keys

API access is authenticated per key. Keys can be created, labelled, and revoked from the dashboard at any time.

Encryption in transit

All traffic — dashboard, API, and internal service calls — runs over TLS. Data at rest is encrypted by the underlying database provider.

Account-scoped access

Stored analysis results are queryable only by the account that created them. There is no cross-tenant access path.

Sub-processors

Third parties that touch data on our behalf.

Each sub-processor is used for a specific, limited purpose. None of them receives the original statement PDF.

Supabase

Authentication, account data, credit balances, and stored analysis results (PostgreSQL).

PayFast

Payment processing for credit packs. Sorae never sees or stores card details — PCI DSS scope sits entirely with PayFast.

Resend

Transactional email — signup verification, password resets, billing notifications, and contact-form delivery.

AI model providers

Generation of the plain-language analyst summary from the structured analysis output.

POPIA

Sorae operates as an operator under POPIA, processing personal information on the instruction of the responsible party (you). Our privacy policy and PAIA manual cover the formal detail.

Ask a security question

Sorae

The definitive financial intelligence layer for South African institutions.

Sinneo Group (Pty) Ltd

Product

  • How it works
  • Sample report
  • Pricing
  • API documentation
  • Try the API

Sectors

  • Lenders
  • Rental Agents
  • Employers

Company

  • About Us
  • Security & Data Handling
  • Blog
  • Contact
  • FAQ
  • Sign In
  • Get Started →
BlogTermsPrivacyPAIA ManualSecurityFAQContact© 2026 Sinneo Financial Technologies (Pty) Ltd