Skip to content
Security & compliance

You're asking clients to connect their bank. Here's how we protect that.

Olimey handles identity documents and bank-source transaction data. This page sets out exactly where that data goes, who processes it, and the controls around it — in plain terms your MLRO can take to a partner.

Encrypted in transit & at rest

All data is encrypted with TLS in transit and AES-256 at rest. Access is least-privilege and logged.

UK/EEA data residency

Client data is processed and stored in-region, under UK GDPR, with data-processing terms available on request.

Human-in-the-loop

No report is finalised without human sign-off. Your conveyancers clear straightforward matters; only higher-risk cases or potential SARs reach your MLRO. The judgement, and the accountability, stay with your firm.

Who touches the data

Regulated providers. Connected directly.

We don't ask clients to email statements or photograph documents into an inbox. Identity and banking data are captured at source through regulated, FCA-authorised providers.

FCA-authorised open banking

FCA-authorised

The client authorises a read-only connection to their bank through an authorised open-banking provider. Olimey receives categorised transactions, never sees login credentials, and cannot move money.

FCA-authorised identity

Identity

Identity is verified by a regulated, FCA-authorised provider using a document check and a biometric liveness check.

Olimey runs on Supabase infrastructure, which is independently certified to SOC 2 Type II and ISO 27001. Olimey itself is not independently certified yet; our own information-security programme follows these frameworks. All data is processed within the UK/EEA. Our full subprocessor list and data-processing terms are available from our DPO at dpo@olimey.ai.

How data flows

From client device to locked record.

01

Collected at source

Identity and banking data are captured at source through FCA-authorised providers over encrypted connections — never re-keyed, never emailed.

02

Processed in-region

Analysis runs within the UK/EEA under UK GDPR. Access is least-privilege, time-bound, and fully logged.

03

Signed & locked

On sign-off, the report and its evidence become an immutable record, retained for six years by default.

04

Retained or erased

Retention follows your firm's policy and statutory minimums. Erasure requests are handled under UK GDPR.

Regulatory alignment

Designed around the rules you answer to.

Olimey is built to support — not satisfy on your behalf — your obligations under the UK AML regime. Your firm remains the regulated entity; we give you a defensible file.

  • MLR 2017. Customer due diligence, ongoing monitoring and record-keeping supported by structured evidence.
  • LSAG guidance. Source of Wealth and Source of Funds aligned to the legal-sector approach.
  • UK GDPR. Lawful basis, data minimisation, residency and subject rights built into the workflow.
  • Audit trail. Immutable, time-stamped, exportable — built for SRA/CLC and HMRC inspection.
Questions we get asked

Security FAQ

Does Olimey store bank login credentials?
No. The bank connection is made through an authorised open-banking provider. Olimey receives read-only transaction data and never sees or stores the client's banking credentials, and cannot initiate payments.
Where is client data stored?
Client data is processed and stored within the UK/EEA under UK GDPR. Uploaded documents are held in private storage with encryption at rest (AES-256).
Who can see a client's file?
Only authorised users within your firm. Access is role-based and every view, edit and sign-off is logged in the audit trail.
What happens to data after sign-off?
The report and its evidence lock into an immutable record, retained for six years by default or in line with your firm's policy. Erasure requests are handled under UK GDPR.
Does Olimey make the AML decision?
No. Olimey assembles and drafts; a human reviews and signs off — your conveyancer for clear matters, your MLRO for anything escalated. No report is finalised without that human approval.

Need our security pack for due diligence?

Create your free account to get started, or contact our DPO at dpo@olimey.ai for data-processing terms, subprocessor details and our retention policy.