Sorbet connects to your banks using regulated Open Banking APIs, encrypts your data end‑to‑end, and is operated under an ISO 27001‑certified information security management system.
Founders get one cockpit. Accountants get perfect data. Everyone gets serious security.
At a glance
Encryption everywhere
All connections use TLS. Data at rest is encrypted using strong, industry‑standard algorithms.
Full audit trails
Key actions—like payments, exports and configuration changes—are logged with who, what and when.
Data stays in the EU
Sorbet runs on EU‑based infrastructure, aligned with GDPR and European data protection expectations.
We never touch your funds
Payments are executed directly by your bank or fintech via PIS. Sorbet orchestrates, but doesn’t hold client money.
Sorbet operates under an ISO 27001‑certified information security management system (ISMS).
ISO 27001 is the international standard for managing information security. Certification means that an independent auditor has verified that we:
If you are an accountant or larger SME and need details for your own risk assessment, reach out via Contact.
We use regulated Open Banking (PSD2) connections for AIS (account information) and PIS (payment initiation). You authenticate directly with your bank; Sorbet never learns your online banking password.
AIS lets Sorbet read balances and transactions from your banks and fintech providers.
PIS lets Sorbet prepare payments that your bank executes, with your strong customer authentication.
Sorbet does not ask for your online banking credentials or scrape websites.
We treat your company’s financial data like production code in a mission‑critical system: locked down, monitored and change‑controlled.
All communication between your browser, our APIs, and banking partners is protected with TLS.
We follow a least‑privilege model inside Sorbet.
We log security‑relevant events and maintain audit trails around key actions.
We maintain regular backups and a documented incident response process.
You want one cockpit, not another attack surface.
You need security evidence for your own risk assessment and for auditors.
Need more detail for your internal documentation? Contact us and we’ll share the necessary information under NDA where appropriate.
If you’re an e‑resident founder or an accountant, you should ask these questions. Here are our answers.
No. Sorbet is a Finance OS that connects to your existing banks and fintechs via regulated APIs. Your money always sits with your bank or payment provider. Sorbet orchestrates, but never becomes the holder of your funds.
No. You authenticate directly with your bank or fintech using their own login and strong customer authentication. Sorbet receives an access token with limited scope, not your password or card number.
Yes. You can disconnect a bank or wallet from inside Sorbet, and you can revoke consent from your bank or provider directly. Once revoked, Sorbet cannot fetch new data or initiate payments for that account.
Sorbet runs on EU‑based infrastructure. We prioritise EU data residency and follow GDPR principles. If you need precise details for a DPIA or internal review, contact us and we will provide them.
Access to production systems is strictly limited to specific roles and is logged. Day‑to‑day operations are designed so that most support interactions can be handled without viewing sensitive data unless absolutely necessary.
No. This page is an overview of how we approach security and compliance. For binding terms, please refer to our Terms of Service and Privacy Policy, and to any specific agreements we sign with you.
