Does Redbark store my bank transactions?

No. Redbark does not store your CDR transaction data. Transactions are proxied live from Fiskil at sync time and written directly to the destination you configured, so there is nothing held to be breached.

Does Redbark ever see my banking password?

No. You authenticate directly with your own bank through Open Banking (the CDR). Your banking credentials never pass through Redbark; your bank issues a secure, revocable token instead.

How are my tokens protected?

All OAuth and banking tokens are encrypted at rest using AES-256-GCM with unique random IVs, and all data is transmitted over HTTPS / TLS.

Security

Last updated: May 2026

Redbark moves some of the most sensitive data you have, your bank transactions, so security sits at the core of the product. The short version: we don't store your transaction data, you never share your banking password with us, and the little we do hold is encrypted. Here is exactly how that works.

1. We don't store your banking data

Redbark does not keep your CDR transaction data. Transactions are proxied live from Fiskil at sync time and written straight to the destination you configured, such as a Google Sheet, YNAB, Actual Budget, or a webhook. Because nothing is held, there is no store of transactions to leak, and deletion on our side is instant.

We never store:

Transaction amounts, dates, descriptions, merchants, or balances
Raw CDR payloads from Fiskil
Your banking credentials, which you enter directly at your bank

The only things we hold, in our production database, are:

Account metadata (institution name, account type, masked account number) to power the UI
Consent metadata (status, purpose, data categories, expiry, audit trail)
Encrypted OAuth tokens for your providers and destinations
An audit log of every state-changing action

2. Open Banking, not password sharing

Redbark connects to your bank through Open Banking(the Consumer Data Right) rather than screen scraping. You authenticate on your own bank's website, approve a specific, time-limited consent, and your bank issues a secure token to Fiskil. Your banking password never passes through Redbark or Fiskil, and consent is visible and revocable at any time. See our Open Banking explainer for the full detail.

3. Encryption

All OAuth and banking tokens are encrypted at rest using AES-256-GCM with unique random IVs
All data is transmitted over HTTPS / TLS
Tokens are the only sensitive secret we hold, and they cannot be used to log into your bank

4. Operational security

Our error monitoring (Sentry) has a scrubbing layer that redacts CDR transaction fields, PII, and secrets from every event before it leaves the app
Our log pipeline (Pino to Axiom) redacts the same fields before log lines leave the runtime
Our product analytics (PostHog) has DOM autocapture and session recording disabled, so rendered transaction data can never be captured into analytics events

5. Infrastructure

Redbark runs on infrastructure providers that hold SOC 2 Type IIcertifications:

Vercel (hosting)
PlanetScale (database)
Clerk (authentication)
Stripe (payments)
Trigger.dev (background jobs)

Fiskil, our CDR data provider, operates as an ACCC-accredited data recipient under its own security assessment program.

6. Responsible disclosure

Security researchers can report vulnerabilities privately to security@redbark.co. We acknowledge within 2 business days, provide an initial assessment within 5, and will not pursue legal action against good-faith research conducted within the scope described on that mailbox's auto-reply.

7. More detail

For the regulatory side, including how we operate as a CDR Representative, consent handling, and breach response, see our Compliance page. For how we handle personal information, see our Privacy Policy.