Please report any vulnerabilities to email@example.com » encrypted with our public key.
We don’t have a running bug bounty program, but we will consider rewards for serious vulnerabilities we haven’t encountered yet.
Our public GPG key is available at https://get.kontomatik.com/keys/kontomatik.asc »
- Our services are hosted in Google Cloud Platform provided by Chmura Krajowa ». The servers are physically located in Frankfurt (Germany) and Amsterdam (Netherlands). Using the services of Chmura Krajowa ensures that Kontomatik is compliant with regulations set out by the Polish Financial Supervision Commission (KNF).
- Kontomatik processes personal data only in the EU area in accordance with the GDPR recommendations.
- Kontomatik complies with the highest market security standards and practices and is ISO/IEC 27001 certified in Information Security Management System. We renew our certification yearly.
- We follow the least privileges policy - only the necessary and trained employees have access to Kontomatik production servers and the network.
- Each data access is logged and monitored.
- We strive to have the highest quality code on the production. Source code must pass automatic tests and a code review before going live.
- We do not outsource software development.
- Bank credentials will never pass through your servers. Kontomatik SignIn Widget encapsulates the login process end to end.
- We don’t have access to the bank credentials during the standard AIS process. The only exception is when the fallback mechanism is used - then the bank credentials are temporarily stored in a volatile memory (RAM) and are discarded soon after logging the user into the bank.
- Financial data is removed automatically from Kontomatik servers after 24 hours. Clients can remove data sooner by using the appropriate endpoint in our API.
- Kontomatik connects with banks using HTTPS protocol - the very same way the end user would do using his web browser. Kontomatik checks the validity of banks’ certificates on each and every request.
- The API client connects with Kontomatik using high-grade HTTPS (by default).
- We require two-factor authentication with: API key and IP whitelist. Moreover, each session gets a unique id that only combined with the API key allows to get the financial data.