Bank Connection Security

A transparent look at how Kantivo handles bank connectivity through Teller, and exactly where every piece of data lives.

The Bottom Line

Your bank login details never pass through Kantivo. All authentication happens inside Teller's independently secured widget, and your accounting data is stored securely in your own database.

How Bank Connection Works

Kantivo integrates with Teller, a regulated financial data provider comparable to Plaid, to bridge the gap between your bank and your desktop accounting environment. The entire process is designed so that sensitive credentials remain outside of Kantivo at every stage:

Initiate the Connection

When you press "Connect Bank," a separate secured window from Teller opens on your screen. This popup is hosted entirely by Teller's infrastructure -- Kantivo has no access to its contents.

Authenticate with Your Bank

You sign into your financial institution directly within Teller's encrypted interface. Your username and password travel exclusively between Teller and your bank -- Kantivo cannot intercept or record them.

Receive a Read-Only Token

Upon successful authentication, Teller issues a limited-scope access token to Kantivo. This token permits transaction retrieval only -- it cannot log into your account, authorize payments, or alter any banking information.

Pull Transactions into Your Local Database

Kantivo uses the token to retrieve your transaction history through Teller's API, then stores it securely in your database. Transactions are available immediately for reconciliation and reporting.

Data Flow Diagram

👤

You

Enter bank login

→

🔐
Teller
Secure widget

→

🏦

Your Bank

Authenticates you

→

🔑

Access Token

Returned to app

Where Is Data Stored?

Data Type	Where It's Stored	Security
Bank Username & Password	These credentials are NEVER handled by Kantivo. They are submitted exclusively through Teller's PCI-compliant widget and are invisible to our application.	Not Applicable
Teller Access Token	Persisted in a secure cloud database (Admin Panel) after being encrypted prior to storage.	AES-256-GCM Encrypted
Bank Name & Account Names	Kept on your local machine within Kantivo's PostgreSQL database, used solely for labeling and display.	Non-sensitive metadata
Transaction History	Written to your local PostgreSQL database once you import. Your financial records never leave your computer.	Your local database

Security Measures

🔐

Your Login Details Stay Outside Kantivo Bank usernames and passwords are entered only within Teller's PCI-compliant interface. At no point does Kantivo see, relay, or persist these credentials on your computer or elsewhere.
🔒

Tokens Are Encrypted at Rest Every access token received from Teller is encrypted with AES-256-GCM before being persisted. In the unlikely event of a database breach, the raw tokens remain indecipherable.
🚫

Tokens Are Strictly Read-Only An access token only authorizes Kantivo to read transaction data through Teller's API. It is impossible to use this token to authenticate with your bank, move funds, or modify your accounts in any way.
📜

Mutual TLS Certificate Verification All production communications with Teller are safeguarded by mutual TLS (mTLS), which requires both parties to present valid certificates before any data is exchanged.
🔄

Full Disconnect at Your Discretion You may sever the bank connection at any moment from within Kantivo. Doing so instantly invalidates the access token, preventing any further data retrieval.

Frequently Asked Questions

Is Kantivo able to perform actions on my bank account?

No. Kantivo has read-only access to transaction data via Teller's API. It is technically impossible for the application to sign into your bank, initiate transfers, or modify account settings.

What occurs when I disconnect a bank?

The associated access token is revoked immediately, cutting off any future data retrieval. Transactions you have already imported into your local database remain available in your accounting records.

Who is Teller, and can they be trusted?

Teller is a regulated financial services provider that maintains direct partnerships with leading banks. They hold SOC 2 Type II certification and adhere to stringent banking industry security requirements.

My bank connection stopped working. Why?

Certain financial institutions enforce periodic re-authentication as a security measure. When this happens, Kantivo displays a "Reconnect" prompt. Select it to re-verify your identity through Teller's secure widget.

Do I have to connect a bank to use Kantivo?

Not at all. Bank connectivity is entirely optional. You can import transactions from CSV, Excel, or PDF files, use the Statement Bucket for bank statements, or type entries by hand. Many users operate Kantivo without ever linking a bank account.

Questions?

If you have additional security questions about bank connectivity, please contact us at support@kantivo.app