Thelma
Security & Privacy

Your money stays
in your hands.

Bank-grade security architecture. 100 % European hosting. Read-only access. We designed everything so you have absolutely no doubt.

AES-256

Encryption

GDPR

Compliant

PSD2

Open Banking

ISO 27001

Infrastructure

TLS 1.3

In transit

0

Password stored

Never, structurally impossible

100%

EU hosting

France & Germany, ISO 27001

Read

Only

Zero transaction possible, PSD2

Defence in depth

6 layers of protection.
Each one protects the next.

AES-256 · TLS 1.3 · HSM

Military-grade encryption

Even our own team cannot read your data. End-to-end encryption with keys protected by FIPS 140-2 certified hardware security modules.

France & Germany · ISO 27001

100 % European soil

Your data never leaves Europe. No provider subject to the US CLOUD Act. Full and enforceable GDPR compliance.

0 transaction possible

Read-only access

Thelma cannot do anything with your money. Technically and contractually impossible. We analyse, we never act.

OAuth2 · Revocable token

Zero password stored

You authenticate with your bank. We receive a temporary token that you can revoke at any time from our interface.

RPO < 24h · RTO < 4h

Distributed backups

Your data is backed up daily on geographically separate infrastructures. Restoration guaranteed in under 4 hours.

OSCP / CEH · 2× / year

Penetration testing

Certified ethical hackers attempt to break our defences twice a year. Every critical vulnerability is patched in under 72 hours.

PSD2 Protocol — Open Banking

How we access your data.
In an ultra-secure way.

The European PSD2 directive imposes a strict access protocol. You authenticate with your bank — not with us. Your bank sends us a temporary token. That's it.

1. Your bank

You log in on their interface

2. PSD2 API

Regulated TLS 1.3 channel

3. Thelma

Analysis only

No credentials stored
Instantly revocable token
Zero transaction possible
Supervised by regulators

Your rights

Our GDPR commitments

Real rights, immediately exercisable, without friction.

🗑️

Erasure

Within 30 days

📤

Portability

JSON/CSV export

☑️

Consent

Granular

👁️

Access

Transparent

✏️

Rectification

Immediate

🚫

Objection

To profiling

🔔

Notification

Within 72h if incident

🧑‍💼

Dedicated DPO

dpo@thelma.fr

Frequently asked questions

Direct answers, no jargon.

Start with complete peace of mind

Your security is not an optional feature. It is our number one constraint.

Create my account for freeSee the features