Skip to main content
SECURITY & COMPLIANCE

Your bank data deserves better than blind trust.

Calmnect.ai is built on TrueLayer — an FCA-authorised AISP. We operate as its agent under UK open banking regulations. Read-only access. No payments. Consent you own and can revoke any time.

FCA-Authorised AISP
via TrueLayer
Read-Only Access
No payments ever
AES-256-GCM Encryption
Tokens at rest
PSD2 SCA Compliant
90-day re-auth cycle
GDPR Article 17 & 20
Delete & export rights
Consent-First Architecture
Revoke any time
Full Audit Trail
Every data access logged
UK Open Banking
All major UK banks

[ REGULATORY FOUNDATION ]

Regulated access. Not a workaround.

We connect your bank accounts through TrueLayer, one of the UK's leading FCA-authorised Account Information Service Providers. Calmnect.ai operates as a registered agent of TrueLayer — which means your data access is covered by TrueLayer's FCA authorisation, not a grey-area API scrape.

  • Read-only We can see your data. We cannot move money, initiate payments, or modify accounts.

  • Scope-bound consent You explicitly authorise which accounts and data types we may access before any connection activates.

  • 90-day PSD2 cycle Strong Customer Authentication renewal is enforced every 90 days by regulation — not optional.

  • Revoke any time Withdrawing consent immediately halts data refresh and removes stored tokens.

Connections dashboard showing active bank connections with consent scopes and 90-day expiry

[ ENCRYPTION & DATA HANDLING ]

Tokens never touch a log file.

Every access and refresh token is wrapped in AES-256-GCM encryption before it reaches the database. One encrypt path, one decrypt path — no raw tokens in storage, queries, or error traces.

AES-256-GCM at rest

Provider tokens are encrypted with a platform-managed key before storage. Key rotation is procedurally documented.

Encrypted transport

All data in transit uses TLS. TrueLayer's API communicates over HTTPS with mutual certificate validation.

Zero plaintext policy

The encrypt and decrypt helpers are the single gateway. No code path writes or logs an unencrypted token.

Activity and audit log showing every data access event by agent, API key, and timestamp

[ AUDIT & TRANSPARENCY ]

A log that names every accessor.

Every time data leaves the platform — via an agent run, a REST call, an MCP tool, or a webhook — a signed entry is written to your audit log. You can see exactly what was accessed, when, and by which actor.

  • Actor-level detail Entries distinguish between agent type, API key ID, MCP client, and authenticated user.

  • Timestamp + records returned Every log entry includes the endpoint called and how many records were returned.

  • Filterable, searchable Filter by date range, accessor type, or specific key ID from the Technical Dashboard.

  • FCA & GDPR defensible The audit schema satisfies obligations under PSD2 and GDPR Article 30 accountability principles.

[ CONSENT ARCHITECTURE ]

Consent is shown at connection and stored every time it changes.

We don't bury consent in a checkbox. Scope, duration, and revocation rights appear prominently before you authorise any connection — and every change to consent status is written to an immutable event log.

  1. STEP 01 — CONNECT

    Scope disclosed before authorisation

    The connection screen names every data scope being requested — accounts, balances, transactions — and links directly to TrueLayer's terms.

  2. STEP 02 — STORE

    Consent record written immediately

    A consent record captures the granted scopes, timestamp, actor, IP, and user agent. No scope is ever assumed — only what was explicitly granted is used.

  3. STEP 03 — RENEW

    90-day re-auth with reminders

    The platform sends in-app and email reminders at T-14, T-7, and T-1 days. One-tap re-auth reuses the same consent UI against the same connection ID.

  4. STEP 04 — REVOKE

    Revocation is immediate and complete

    Clicking Revoke calls the TrueLayer or Calmony delete-consent endpoint, stops all data sync, and writes a revocation event. Nothing lingers.

0.0sSCOPE REQUESTED: accounts, balances, transactions
0.1sProvider: TrueLayer (FCA-authorised AISP)
0.3sUser authorised consent — expires in 90 days
0.0sINSERT consent { scopes, granted_at, expires_at }
0.2sINSERT consent_event { event: 'granted', actor: user }
0.4sConsent ID: cns_4f9a2c stored encrypted
0.0sT-7 reminder dispatched — in-app + email
0.3sUser completed re-auth flow
0.5sconsent.expires_at extended +90 days
0.0sDELETE consent at TrueLayer: consent_id=cns_4f9a2c
0.2sSync workflow halted for connection
0.4sconsent_event { event: 'revoked' } — immutable

[ YOUR GDPR RIGHTS ]

Rights that actually work.

GDPR rights are not a policy PDF — they're implemented features with real UI flows and verified workflows behind them.

Data export — Article 20

Download everything we hold: connections, accounts, balances, transactions, agent runs, and consent history. Delivered as JSON, Excel, and a human-readable PDF summary to your email.

Full erasure — Article 17

Deleting your account triggers a verified workflow: provider consents revoked, all transactions and balances wiped, agent run history removed. A tombstone receipt is the only thing that remains.

Manage consent & scopes

View every active scope granted to every connection. Withdraw individual scopes or revoke an entire connection from the Technical Dashboard — no support ticket required.

Audit log access

See a filterable record of every time your data was accessed, by which agent, API key, or MCP client, with timestamps and record counts. Yours to query, yours to export.

[ AGENT ACTIVITY ]

AI agents run on your data — you see every run.

Five built-in agents analyse your bank data — Income Verifier, Affordability Scorer, Multi-Account Aggregator, Recurring Payment Detector, Spend Categoriser. Every run is logged with its trigger, duration, input summary, and output. You control when they run and what they connect to.

  • Triggered by Logged whether a run was triggered by you, an API key, an MCP client, a webhook, or a nightly cron.

  • Output downloadable Agent run outputs (including PDF reports from Income Verifier) are stored and available to download.

  • Your data stays your data Agents operate on data already held in your account — they do not transmit raw transactions to third parties.

Agents dashboard showing built-in AI agents and their run history

[ REGULATORY DISCLOSURES ]

What we're required to tell you — and do.

Regulated

Calmnect.ai operates as an agent of TrueLayer Limited, which is authorised by the Financial Conduct Authority as an Account Information Service Provider (AISP) under the Payment Services Regulations 2017.

Read-Only

We are authorised only to read account information. Payment initiation is outside the scope of this service and is not implemented. No money can be moved through Calmnect.ai.

90-Day SCA

PSD2 Strong Customer Authentication requires you to re-authorise each connection every 90 days. We send reminders before expiry and the re-auth takes a single tap.

CONSENT-MGRScope authorisation stored for connection cxn_uk_hsbc_0041just now
TOKEN-VAULTAccess token encrypted AES-256-GCM before write2s ago
AUDIT-LOGdata.read recorded — actor: api_key_7f3a, endpoint: /v1/transactions4s ago
SCA-CRONConnection expiry T-7 reminder dispatched18s ago
CONSENT-MGRRevocation event written — consent_id: cns_9c12b, sync halted31s ago
GDPR-WORKERExport workflow completed — zip delivered to signed URL1m ago
AGENT-RUNNERincome_verifier completed — triggered_by: mcp_client_claude2m ago

[ SECURITY FAQ ]

Common questions, straight answers.

Bank data you can connect, audit, and revoke.

FCA-regulated access. AES-256 encryption. Full GDPR rights. Built for the era when AI needs to know your finances — but you still call the shots.

Questions? Email sf-core-org-support-calmnect-ai@saas-factory.ai

Join the early access list

Be among the first to connect your bank accounts to your AI. We'll notify you when access opens.

Calmnect.ai operates as an agent of TrueLayer Limited, authorised by the Financial Conduct Authority as an AISP. Read-only access only. Payments not enabled. 90-day PSD2 SCA renewal required. Data stored and processed in accordance with UK GDPR.