Trust & Safety
Your business bank data is sensitive. Here is exactly how we protect it — no vague promises, just clear facts about what we do and why you can trust us with your account information.
We use FCA-regulated Open Banking. We can see your transactions but we can never move money or take any action on your account.
All data is encrypted in transit and at rest. Access tokens are individually encrypted using AES-256 before being stored in our database.
We operate within the FCA's Open Banking framework and comply fully with UK GDPR and the Data Protection Act 2018.
Security is not an afterthought at Vpayit — it is built into every layer of the product. This page explains in plain terms how your data is handled, stored, and protected, and what frameworks and regulations we operate within.
Vpayit connects to your business bank account using Open Banking — a framework regulated by the Financial Conduct Authority (FCA) under the Payment Services Regulations 2017, which implemented the EU's PSD2 directive into UK law.
We use TrueLayer as our Open Banking provider. TrueLayer is authorised and regulated by the FCA as an Account Information Service Provider (AISP) under the Payment Services Regulations 2017 (FRN: 793171).
Vpayit and TrueLayer have read-only access to your account information only. Neither we nor TrueLayer can initiate payments, transfer money, or take any action on your account. Your bank login credentials are never shared with us.
When you connect your bank account, you authenticate directly with your bank — not with Vpayit. Your login details never pass through our systems.
All data transmitted between your browser or device and Vpayit's servers is encrypted using TLS 1.2 or higher (256-bit). This applies to the marketing site, the app, and all API communications.
Data stored in our database (Supabase PostgreSQL) is encrypted at rest. Open Banking access tokens and refresh tokens — the credentials that allow us to retrieve your transaction data — are individually encrypted using AES-256 before being written to the database. Encryption keys are stored separately from the database and rotated regularly.
Passwords are never stored in plain text. User authentication is handled by Supabase Auth using industry-standard bcrypt hashing.
Vpayit's infrastructure is hosted on the following platforms, all of which operate within the UK and EU:
All platforms are ISO 27001 certified or SOC 2 Type II compliant. Data is backed up automatically and retained securely.
Access to customer data within Vpayit is controlled at multiple levels:
Vpayit operates in compliance with the following UK laws and regulations:
We are registered with the Information Commissioner's Office (ICO) as a data controller as required under the Data Protection Act 2018.
We use a small, carefully chosen set of third-party services. Each has been selected in part for its security credentials:
We have Data Processing Agreements (DPAs) in place with each of these providers as required by UK GDPR Article 28.
We conduct regular security reviews of our codebase and infrastructure. Dependencies are monitored for known vulnerabilities and updated promptly.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours as required by UK GDPR Article 33, and will notify affected users without undue delay as required by Article 34.
To report a security vulnerability, please email [email protected] with the subject line "Security Vulnerability". We take all reports seriously and will respond within 48 hours.
Contact us at [email protected]. For vulnerability reports, please include "Security Vulnerability" in the subject line. We aim to respond within 48 hours.