'%3e%3c/rect%3e%3crect%20x='0.5'%20y='0.5'%20width='31'%20height='31'%20rx='7.5'%20stroke='oklch(1%200%200%20/%200.08)'%3e%3c/rect%3e%3crect%20x='9'%20y='9'%20width='14'%20height='2.4'%20rx='1.2'%20fill='oklch(0.995%200.003%2095%20/%200.85)'%3e%3c/rect%3e%3crect%20x='13'%20y='14.8'%20width='10'%20height='2.4'%20rx='1.2'%20fill='oklch(0.995%200.003%2095%20/%200.55)'%3e%3c/rect%3e%3crect%20x='6'%20y='20.6'%20width='17'%20height='2.4'%20rx='1.2'%20fill='oklch(0.52%200.120%20250)'%3e%3c/rect%3e%3c/svg%3e){kind=small}
The controls behind the hosted beta.
StatementStudio handles financial documents, so this page lists concrete controls that are actually in place — not certifications we have not earned and not controls we have only planned.
Last updated: 30 June 2026 · Hosted beta
Hosted architecture
Statements are processed on hosted server infrastructure. The public site, the same-origin API path, and private object storage are separate components. The browser never receives owner or storage credentials; the public page reaches the service through a same-origin proxy.
In transit
All traffic is served over HTTPS, with HTTP redirected to HTTPS and HTTP Strict Transport Security enabled. Public pages carry a conservative Content-Security-Policy and standard hardening headers (nosniff, frame protection, and a referrer policy).
Scoped, anonymous job access
Each upload creates an anonymous job with its own scoped access token. One job cannot read another job’s source, data, or exports. There is no account, so there is no shared login to compromise.
Private storage and source handling
The uploaded PDF, its generated preview, the extracted data, and any exports are kept in private storage scoped to the job. The original PDF is never altered, and no transaction or monetary value is invented during extraction.
Protected sensitive routes
Job, review, source, export, and API responses are served with Cache-Control: no-store, Referrer-Policy: no-referrer, and X-Robots-Tag: noindex, nofollow, and are not indexed. These routes do not load third-party behavioural analytics or trackers.
API exposure
The direct API is owner-gated. Interactive API documentation and the machine schema are disabled in production, so the API surface is not publicly browsable. The only public API path is the same-origin capabilities and upload proxy.
Verified deletion
When you delete a job, the service revokes its access, deletes the stored source, preview, extracted data, and exports, and leaves only a content-free record that the job is gone. Deleted content cannot be recovered. Jobs are also configured to expire automatically; the exact expiry window is published here once it is operationally verified.
Abuse limits
Anonymous uploads are subject to per-session abuse limits so the service cannot be trivially overrun. Rate limiting does not treat a network address as proof of identity. Stronger edge-level controls are being rolled out as the public beta scales.
Logging boundaries
Operational logs record safe technical metadata only. Statement contents, account numbers, names, descriptions, amounts, access tokens, and storage locations are not written to logs.
What we do not claim
We do not claim any security certification or compliance attestation, and we avoid security marketing superlatives. We do not publish a model-use or data-handling guarantee for extraction providers until it is backed by their contractual terms. When any of these is evidenced, it is stated here exactly.
See Privacy for what is collected and Terms for the conditions of use.