Security & Compliance
Your financial data is among the most sensitive information your company has. This page describes — in plain language — how FINEO secures it.
EU-only data residency
All customer data is stored and processed in the EU. Our primary application and database are hosted on Hetzner (Germany), with no sub-processors outside the EEA.
Encryption at rest and in transit
Data at rest is encrypted with AES-256. All traffic is secured with TLS 1.2+. BSN numbers and bank tokens are additionally encrypted with a dedicated key-wrapping scheme.
PSD2 via a licensed provider
FINEO connects to your bank via a licensed PSD2 Account Information Service Provider. We only have read access — we cannot initiate payments and we do not store your bank credentials.
GDPR by design
Data subject requests (access, portability, erasure) are handled within 30 days. We keep a data processing register and sign Data Processing Agreements with every business customer.
DNB notice
FINEO itself is not a regulated financial institution. All PSD2 access is provided through a DNB-licensed partner, listed in the DNB public register.
SOC 2 roadmap
We are working towards a SOC 2 Type II attestation. Core controls (access management, change management, incident response, vendor review, business continuity) are already in place and documented.
Report a vulnerability
Found a security issue? Please report it responsibly via our contact form. We acknowledge reports within 2 business days.
Last updated: 18 april 2026