Security policy

Last Updated: August 20th 2025.

1. Introduction

At Gains App, we take the security of your data seriously. We provide AI-powered insights into your financial activity using read-only Open Banking connections. This policy explains the technical and organisational measures we put in place to protect your data, maintain operational resilience, and comply with UK data protection and financial services regulations.

2. Our Security Principles

• Confidentiality – ensuring your personal and financial data is only accessed by authorised parties.
• Integrity – maintaining the accuracy and completeness of your data.
• Availability – ensuring the service remains reliable and resilient, even in adverse situations.
• Accountability – senior management is responsible for oversight of security and regulatory compliance.

3. Data Protection & Encryption

• All personal and transaction data is encrypted in transit (TLS 1.2/1.3) and encrypted at rest using industry-standard AES-256.
• We apply privacy by design and by default to all systems, consistent with UK GDPR Article 25.
• We maintain strict role-based access controls (RBAC) and apply the principle of least privilege.

4. Open Banking Security

• Gains App connects to your bank through a regulated Open Banking provider (TrueLayer).
• We never store or have access to your banking login credentials.
• All access is granted via Strong Customer Authentication (SCA), as required by PSD2.
• Data accessed via Open Banking is limited to the scope you explicitly consent to.

5. AI Security and Fairness

• AI features are assistive only and do not make automated decisions with legal or similarly significant effects.
• We test our AI models regularly for bias, accuracy, and fairness, in line with FCA Consumer Duty and ICO AI guidance.
• We implement safeguards against unintended profiling and do not deliberately infer sensitive categories (e.g. health, political beliefs).
• AI data (such as user queries and responses) is protected with the same encryption and access standards as Open Banking data.

6. Infrastructure & Cloud Security

Our infrastructure is hosted on Amazon Web Services (AWS), which is certified under ISO 27001, SOC 2, and PCI DSS standards.

• Primary data residency: All customer personal and financial data is stored in AWS UK or EU data centres by default, ensuring compliance with UK GDPR and minimising cross-border transfers.
• We avoid unnecessary transfers abroad and only permit international transfers where essential for service delivery (e.g. global support providers).
• All environments are segregated, and access is logged and monitored.
• Vulnerability management includes regular patching, automated scanning, and penetration testing.
• We use firewalls, intrusion detection, and monitoring to detect anomalies.

7. Third-Party Providers & International Transfers

• We only use trusted third-party service providers (e.g. TrueLayer, AWS, Google Analytics).
• We conduct due diligence and security reviews on all critical third-party partners.
• If personal data is transferred outside the UK/EEA, we apply:
  • Standard Contractual Clauses (SCCs) with UK Addendum,
  • Transfer Risk Assessments (TRAs), and
  • Additional technical measures (encryption, access restrictions).
• You can request more details on our international transfer safeguards at privacy@gainsapp.com.

8. Incident Response & Breach Notification

• We maintain an incident response plan for detecting, responding to, and mitigating security events.
• In the event of a personal data breach that presents a high risk to you, we will notify the ICO within 72 hours (as required by UK GDPR Articles 33 & 34) and inform affected customers without undue delay.
• We log, investigate, and document all incidents for accountability and future improvements.

9. Operational Resilience & Business Continuity

• Gains App follows the FCA’s Operational Resilience framework (PS21/3).
• We identify important business services, map their dependencies, and conduct scenario testing.
• We maintain backup and recovery plans to ensure data and service continuity in case of disruption.

10. Employee Security

• All employees undergo background checks before employment.
• Staff receive regular security and data protection training, including phishing awareness.
• Access to sensitive systems is protected by multi-factor authentication (MFA) and reviewed periodically.

11. User Responsibilities

• You are responsible for keeping your Gains App account login details secure.
• We recommend enabling biometric login or MFA where available.
• Gains App will never ask you to share your bank login credentials with us — if you receive such a request, please contact us immediately at our Contact Us page.

12. Continuous Improvement

• We undergo regular penetration testing by independent specialists.
• Security controls are reviewed annually, or sooner if there are changes in law, regulation, or threats.
• We actively monitor NCSC, ICO, and FCA guidance to ensure our policies remain compliant and up to date.

13. Contact

If you have any questions about this Security Policy or concerns about your data, please contact us at:
Data Protection Officer: privacy@gainsapp.com

14. Marketing Communications Security

• Gains App only sends marketing communications (including emails, push notifications, or SMS messages) where you have explicitly opted in, in compliance with the Privacy and Electronic Communications Regulations (PECR).
• We maintain separate systems for marketing data and apply the same encryption and access controls as for financial data.
• You can withdraw consent at any time through the app settings or by contacting us at privacy@gainsapp.com.
• Transactional and service messages (e.g. account alerts, security notifications) are not considered marketing and may still be sent where necessary to provide the service.