Skip to main content

Security is not a feature. It's the foundation.

Built with bank-grade security from day one. We never touch your money.

PII Encryption at Rest

All personally identifiable information is encrypted with AES-256-GCM before storage. Encryption keys are managed separately from data.

MFA / TOTP

Two-factor authentication using time-based one-time passwords. Compatible with Google Authenticator, Authy, and other TOTP apps.

JWT Token Rotation

Short-lived access tokens (15 min) with automatic refresh. Token revocation on logout. No persistent sessions.

Rate Limiting

Redis-backed distributed rate limiting across all API endpoints. Per-user and per-IP limits to prevent abuse.

PSD2 Compliant

All Open Banking connections use PSD2-licensed providers. Strong Customer Authentication (SCA) enforced by your bank.

EU Data Residency

All infrastructure runs on Hetzner Cloud in Germany. No data leaves the European Union.

How your payment works (PISP model)

We initiate. Your bank controls. Your money never touches our servers.

1

You Initiate

Request a payment through COREFINOS — a transfer, scheduled payment, or automated rule.

We Send to Your Bank

COREFINOS sends the payment instruction to your bank via PSD2 Open Banking API.

Your Bank Authenticates

Your bank asks you to confirm via Strong Customer Authentication (SCA) — fingerprint, PIN, or app confirmation.

4

Your Bank Executes

Your bank moves the money directly. We get a confirmation webhook. You get notified.

AES-256

Encryption standard

15min

Access token lifetime

100%

EU data residency

24/7

Security monitoring

PISP Model — We Never Touch Your Money

COREFINOS operates exclusively as a Payment Initiation Service Provider. When you initiate a payment through our platform, your bank executes it directly. We never hold, store, or have access to your funds.

Audit Logging

Every administrative action is recorded in an immutable audit log with actor, action, timestamp, IP address, and details. This ensures full traceability for compliance and incident response.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@corefinos.com. We take all reports seriously and will respond within 24 hours.

I recommend COREFINOS to every client who asks me how to get a handle on their finances. The health score alone is worth the subscription.

Thomas K.

Financial Advisor at Vienna

Switching banks used to mean re-doing everything. With COREFINOS, I reconnected in 30 seconds and all my history was still there.

Ana M.

Small Business Owner at Lisbon