HeyBen/security

Hardened by design.

Your books sit at the centre of your business. HeyBen is built so the sensitive parts stay sensitive — encrypted, isolated, and never sold.

Architecture & stack

Your browser

TLS 1.2+

HeyBen app

VPC core

Managed database

Encrypted at rest

read-only · Striperead-only · Airwallexread-only · Shopifyread-only · Shoplineread-only · PayMeread-only · Octopus

HeyBen runs inside an isolated, AWS-backed environment. Integrations are read-only wherever possible — HeyBen reads source data, but does not move money on your behalf.

aws-backed

“

Your books belong to you. HeyBen does not sell, rent or share your data with advertisers or data brokers — full stop.

The HeyBen team

Privacy commitment

Where does my data live?

All customer data is stored in an isolated AWS environment with encrypted volumes, automated backups and point-in-time recovery.

Can I export and delete my data?

Yes — you own your data. You can export your ledger, contacts and documents at any time, and request full deletion when you leave.

field_encryption.ts

// Bank account numbers are encrypted at the field level
// using AES-256-GCM before they ever hit the database.
export async function storeBankAccount(value: string) 
  const iv = crypto.randomBytes(12);
  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
  const ciphertext = Buffer.concat([cipher.update(value), cipher.final()]);
  return db.bankAccounts.insert({ iv, ciphertext, tag: cipher.getAuthTag() });
}

AES-256

Sensitive fields like bank account numbers are encrypted with AES-256 — the same specification used by leading financial institutions. Keys live in AWS-managed key storage, never in application code.

The controls behind the product.

A practical look at what runs underneath HeyBen — across the infrastructure, the application and the people who operate it.

01
Encryption in transit and at rest
All connections are protected with TLS. Database storage and backups are encrypted at rest using AWS-managed keys.
02
Least-privilege access
Production access is restricted to a small group of engineers. Each access is individually accounted, strongly authenticated and logged.
03
Read-only integrations
Where possible, integrations with banks, payment providers and storefronts are read-only — HeyBen reads source data but does not move money.
04
Backups and recovery
Encrypted backups run on a regular schedule with point-in-time recovery so your books can be restored quickly if anything goes wrong.
05
Two-factor authentication
Add a second factor to every login. HeyBen supports app-based 2FA so accounts stay protected even if a password is compromised.
06
New-device notifications
Whenever your account is accessed from a new device you get an instant notification, so suspicious activity is easy to spot and shut down.

Reporting an issue

If you believe you've found a security issue in HeyBen, please email security@heyben.com with details so we can investigate quickly.

Data ownership

You own your data. You can export your ledger, contacts and documents at any time, and request deletion when you leave.

This page is maintained by HeyBen to answer common security and privacy questions about HeyBen. It describes current product and operational practices and is not an independent certification.

Focus on the business. Your data is protected.

Book a demo Get started free

Hardened by design.

Architecture & stack

Where does my data live?

Can I export and delete my data?

The controls behind the product.

Encryption in transit and at rest

Least-privilege access

Read-only integrations

Backups and recovery

Two-factor authentication

New-device notifications

Focus on the business. Your data is protected.