Security

Your users' financial data
is personal and powerful

That's why security isn't a feature at OpenDinar β€” it's the foundation. Every product decision, every line of code, and every infrastructure choice is made with security first.

Encrypted End-to-End

AES-256 at rest. TLS 1.2/1.3 in transit. No financial data ever travels or sits unprotected.

Permission-Based Access

Every bank connection requires explicit user consent. Access can be revoked at any time β€” by the user or developer.

Isolated by Design

Every developer's data and credentials are fully isolated. No cross-tenant data access is architecturally possible.

Encryption

All financial data stored by OpenDinar is encrypted using AES-256 β€” the same standard used by banks and governments worldwide. This applies to account information, transaction history, identity data, and all other user-linked content.

All data in transit between your application, OpenDinar's API, and Serbian bank systems is protected using TLS 1.2 and TLS 1.3. Older, insecure protocol versions (SSL, TLS 1.0, TLS 1.1) are explicitly disabled across all endpoints.

In plain terms: Whether your user's account data is sitting in our database or moving across the internet, it is always encrypted. It is never stored or transmitted in plain text.

Access Control

Developer access to the OpenDinar API is controlled through API keys. These keys are:

  • Hashed before storage β€” OpenDinar never stores your API key in plain text. We store a one-way hash, meaning even our own systems cannot recover your original key.
  • Scoped by environment β€” Sandbox keys (od_test_sk_*) and live keys (od_live_sk_*) are strictly separated. A sandbox key cannot access live bank data.
  • Rate limited β€” All API endpoints enforce rate limits to prevent abuse and protect bank connections from excessive polling.
  • Revocable instantly β€” Keys can be revoked from the dashboard immediately. Revoked keys stop working within seconds.

Webhook payloads are HMAC-signed using your webhook secret. This allows your server to cryptographically verify that every incoming event genuinely originated from OpenDinar and has not been tampered with in transit.

Permission Model

OpenDinar is built on a consent-first architecture. No bank account data is ever accessed without an explicit user action.

Here is how every bank connection works:

  1. The end user opens your application and chooses to connect their bank account.
  2. Your application launches the OpenDinar Link Widget β€” a secure, OpenDinar-controlled interface.
  3. The user selects their bank and authenticates directly with that bank. OpenDinar never sees the user's bank password.
  4. The bank issues a secure authorization token to OpenDinar. Your application receives an item_id to reference this connection.
  5. Only the data types your application requested are accessible β€” not all data the bank holds on the user.
Users are always in control. A user can revoke any bank connection at any time β€” either through your application or by contacting OpenDinar directly. Revocation immediately prevents further data access.

Data Handling

What we store

OpenDinar stores the data necessary to fulfil API requests on behalf of developers:

  • Account metadata (account name, type, IBAN, currency)
  • Transaction history (amount, date, merchant, category)
  • Balance snapshots (current and available)
  • Identity data (name, address, phone, email) β€” only when the Identity product is enabled
  • Bank connection tokens (encrypted, never your user's bank credentials)

What we never store

  • Bank login passwords or PINs β€” these are entered directly into the bank's system via the Link Widget
  • Payment card numbers
  • Any data beyond what your application explicitly requested

Retention

Transaction and account data is retained for as long as the bank connection is active. When a developer deletes a connection or a user revokes access, associated financial data is queued for deletion within 30 days. Developer account data (API logs, usage records) is retained for 90 days after account closure.

Monitoring & Incident Response

OpenDinar operates continuous monitoring across all API endpoints and infrastructure components. Automated alerting triggers on anomalous patterns including:

  • Unusual API call volume spikes from a single key
  • Repeated authentication failures
  • Unexpected data access patterns across accounts
  • Infrastructure availability issues

In the event of a confirmed security incident, affected developers will be notified by email within 72 hours of discovery β€” in compliance with GDPR notification requirements. We publish incident postmortems for significant events.

Infrastructure

OpenDinar's API infrastructure is hosted on DigitalOcean, a SOC 2 Type II certified cloud provider. Key infrastructure security properties include:

  • Per-tenant data isolation β€” each developer's data is logically isolated at the database level
  • Encrypted backups β€” all database backups are encrypted and stored separately from the primary data store
  • Network isolation β€” internal services communicate over private networks, not the public internet
  • Principle of least privilege β€” internal team members only have access to systems required for their role
  • Dependency management β€” all third-party dependencies are audited and kept up to date

Compliance & Certifications

OpenDinar operates in alignment with EU data protection standards, as Serbia continues harmonisation with GDPR under the Law on Personal Data Protection (Zakon o zaőtiti podataka o ličnosti). Our data handling practices are designed to meet these requirements from day one.

We are actively working toward formal third-party certification:

SOC 2 Type II

Security, availability, and confidentiality audit by independent auditors

Q4 2026

ISO 27001

International standard for information security management systems

2027

GDPR Alignment

Data handling practices aligned with EU General Data Protection Regulation

Active

Serbian ZZPL

Compliant with Serbia's Law on Personal Data Protection

Active

Your Users' Rights

OpenDinar supports your users' data rights under applicable law. Users whose financial data is processed through OpenDinar can:

  • Access β€” request a copy of the data we hold about them
  • Correction β€” request correction of inaccurate data
  • Deletion β€” request deletion of all data associated with their bank connections
  • Portability β€” receive their data in a structured, machine-readable format
  • Objection β€” object to processing in certain circumstances

Data subject requests can be submitted by contacting privacy@opendinar.com. We respond to all requests within 30 days.

For full details on how personal data is collected, used, and protected, see our Privacy Policy.

Report a Security Issue

If you believe you have found a security vulnerability in OpenDinar's API, infrastructure, or website, we want to hear from you. We take all reports seriously and will respond promptly.

Contact: security@opendinar.com
Please include a detailed description of the issue, steps to reproduce, and any relevant proof-of-concept. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate.

We do not currently operate a formal bug bounty programme, but we acknowledge all valid reports and will credit researchers who disclose responsibly.

Questions about security?

Our team is happy to answer security questions from developers, enterprise evaluators, and compliance teams.

Contact Security Team Read Privacy Policy