Security

How Open Balance protects your data.

Zero-knowledge by design

Your accounts, balances, income, payments, debts, notes, labels, categories, scenarios, and forecast settings are encrypted on your own device before any of it reaches us. We use keys we never see, so we physically cannot read your financial data. That isn't a policy we promise to follow, it's a design choice we can't override. If we receive a request for your data from a third party, there is nothing readable here to hand over. Full detail on what is encrypted versus what we can read is in our Privacy notice.

Encryption

Your vault data is locked using military-grade encryption. Think of it like a super-secure safe with a 256-digit combination lock. The encryption method (XChaCha20-Poly1305) makes sure your data stays private AND anyone trying to tamper with it would be detected. Even if someone stole the entire database, they couldn't reverse-engineer your password because they're missing this extra secret ingredient. Each saved item in your vault is "tagged" with information about who owns it, what type of record it is, and its version number. This prevents hackers from swapping records around or tricking the system with old versions—it's like having a unique fingerprint on every piece of data.

Built to international security standards

The Open Balance platform is built to align with the control frameworks of ISO 27001 (information security management) and SOC 2 (security, availability, and confidentiality trust services criteria). We structure our policies, access controls, change management, monitoring, and incident response against these standards.

UK-only infrastructure

Open Balance is a UK-incorporated company serving UK-only users. All servers that store or process data are located in the United Kingdom. Financial data is not transferred outside the UK. Stripe, our billing processor, is the single exception, card payments necessarily involve a global network, but your payment details are handled entirely by Stripe and we never see your full card number.

Mandatory two-factor authentication

Every Open Balance account requires two-factor authentication. There is no way to disable it. Combined with the zero-knowledge architecture, this means that even if someone obtains your password, they cannot access your vault without your second factor, and even if someone breaches our servers, your financial data is ciphertext they cannot decrypt.

No bank linking, no third-party access

Open Balance never connects to your bank, and never will. There's no open banking integration, no account aggregation, and no third-party data access of any kind. Every figure in your vault comes from what you enter yourself. No third-party analytics, advertising, or tracking scripts run on authenticated pages. This keeps it open and accessbile to everyone.

Reporting a security issue

If you find a security vulnerability in Open Balance, email security@openbalance.co.uk. We'll acknowledge your report within 72 hours and keep you informed as we work on it. Please give us a reasonable window to fix the issue before disclosing it publicly. The Terms of Service require prior written permission before probing our infrastructure; security researchers reporting issues in good faith through the email above are exempt from that restriction.

Further reading

Privacy notice: what data we process, why, and your rights under UK GDPR.
Terms of Service: the full agreement between you and us.
FAQ: common questions about data access, deletion, and account security.