Security & Trust

Your financial data is safe with us.

You’re trusting us with your business finances. We take that seriously. Joy Pilot is built from the ground up with bank-level security, best-practice encryption and rigorous data protection — so you can focus on your business, not worry about your data.

Start Free 1-Month Trial See how we protect your data

No credit card needed · Set up in minutes · Cancel anytime

Encrypted

At rest & in transit

Two-Factor Auth

Extra login protection

GDPR Compliant

Your data, your rights

Hosted on AWS

Enterprise infrastructure

How We Protect You

Security isn’t an add-on. It’s built in.

Every layer of Joy Pilot — from the moment you log in to the way we store your files — has been designed with security as a first principle, not an afterthought.

Encryption

Your data is encrypted everywhere it goes.

Whether your data is being stored in our database, travelling between your browser and our servers, or sitting in a backup — it’s always encrypted. We use the same encryption standards trusted by banks and financial institutions.

Encrypted in transit — all connections use TLS 1.2 or higher with HTTPS enforced across the entire platform
Encrypted at rest — your database is protected by AWS KMS encryption, the same technology used by major financial services
HSTS enforced — your browser is told to only ever connect to us over HTTPS, preventing downgrade attacks
Secure cookies — all session cookies are encrypted, HTTP-only and protected against cross-site attacks

Authentication

Only you can access your account.

We go well beyond a simple password. Joy Pilot includes two-factor authentication, intelligent brute-force protection and strong password requirements — making it extremely difficult for anyone other than you to get in.

Two-factor authentication (2FA) — receive a time-limited code via SMS every time you log in for an extra layer of security
Brute-force protection — progressive lockouts detect and block repeated login attempts, with automatic cool-down periods
Strong password policy — passwords must include a mix of letters, numbers and symbols, tested against known weak patterns
Passwords never stored in plain text — industry-standard bcrypt hashing means even we can’t see your password

File Protection

Every file you upload is scanned and secured.

When you upload a receipt, bank statement or any other document, it’s automatically scanned for malware using enterprise-grade antivirus software before it’s stored. Files are kept in encrypted cloud storage with unique, unguessable names — so no one can stumble across your documents.

Antivirus scanning — every uploaded file is checked by ClamAV antivirus before it’s accepted
Encrypted cloud storage — files stored in AWS S3 with encryption and unique identifiers
Temporary access links — download links expire automatically, so shared files can’t be accessed indefinitely

Infrastructure

Hosted where the world’s best businesses host.

Joy Pilot runs on Amazon Web Services (AWS) — the same cloud infrastructure trusted by banks, hospitals and governments worldwide. Your data is replicated, backed up and protected around the clock.

AWS Encrypted Database

Your data lives in an encrypted Aurora database with automatic backups and point-in-time recovery.

Multi-Zone Redundancy

Data is replicated across multiple availability zones, so even if one data centre has an issue, your data is safe.

Deletion Protection

Critical databases have deletion protection enabled, preventing accidental data loss at the infrastructure level.

24/7 Monitoring

CloudWatch logging and real-time error tracking ensure issues are caught and resolved before they affect you.

Privacy & Compliance

Your data belongs to you. Full stop.

We follow best-practice data protection standards and comply with GDPR requirements. We’ll never sell your data, and we give you the tools to control exactly what’s stored.

GDPR Compliant

We comply with the General Data Protection Regulation. You have the right to access, export or delete your personal data at any time.

Right to Be Forgotten

Request that we anonymise or delete your personal information. We have the tools in place to fully honour erasure requests.

Data Isolation

Each business account is completely isolated. Your data is never mixed with, visible to, or accessible by other users.

Activity Audit Trail

Every action on your account is logged — who accessed what and when. Complete transparency for your peace of mind.

We Never Sell Your Data

Your financial data is yours. We will never sell, share or monetise it with third parties. Ever.

Email Consent Management

Full control over marketing communications. Unsubscribe at any time, and we’ll honour it immediately.

Financial Security

Bank-grade security for your financial data.

Joy Pilot connects to your bank using the same secure, regulated channels that banks use to talk to each other. We never store your bank login credentials — all bank connections use OAuth, the industry-standard secure handshake.

PSD2-Compliant Bank Feeds

We connect via regulated Open Banking providers that comply with the EU’s Payment Services Directive. Your bank authorises the connection directly.

No Bank Passwords Stored

Joy Pilot uses OAuth tokens to access your bank feeds. We never see, store or handle your bank login credentials.

Webhook Signature Verification

Incoming data from banks and payment providers is cryptographically verified to ensure it hasn’t been tampered with.

Secure Payment Processing

Payments are handled by Stripe, a PCI DSS Level 1 certified processor. Joy Pilot never touches your card details.

Best Practices

Built by people who take security personally.

Security isn’t just about ticking boxes. It’s about the decisions made at every level of the platform — from how we handle input to how we protect against common web attacks.

XSS Protection

All user input is sanitised using HTMLPurifier with a strict whitelist. Malicious scripts are stripped before they’re ever stored.

CSRF Protection

Every form submission is verified with a unique token, preventing third-party websites from making requests on your behalf.

Automatic Session Timeout

Inactive sessions expire after a set period. If you walk away from your computer, your account is automatically protected.

CORS Policy

Strict cross-origin controls mean only authorised applications can communicate with Joy Pilot’s servers.

OAuth 2.0 API Access

All API communication is authenticated using OAuth 2.0 with automatically expiring tokens and secure refresh mechanisms.

Error Handling

Errors are tracked internally but never leak sensitive system details to the browser. You see a friendly message; we see the full diagnostic.

Regulatory Compliance

Recognised by HMRC.

For UK users, Joy Pilot is compatible with HMRC’s Making Tax Digital (MTD) programme. File your VAT returns directly from the platform with confidence that your submissions meet the latest government requirements.

Making Tax Digital (MTD) for VAT

Direct VAT return submission to HMRC

Listed on HMRC’s recognised software page

Digital record-keeping that meets MTD requirements

FAQ

Common questions about security

If you have a question that isn’t answered here, get in touch — we’re happy to go into detail.

Where is my data stored?

Your data is stored on Amazon Web Services (AWS) in encrypted databases. AWS is the same cloud infrastructure used by major banks, healthcare providers and government agencies worldwide. Your data is replicated across multiple availability zones for redundancy.

Do you store my bank login details?

No. We never see, store or handle your bank login credentials. Bank feed connections use OAuth — a secure handshake where your bank authorises the connection directly. We only receive read-only access to your transaction data through regulated Open Banking providers.

Is my data encrypted?

Yes, everywhere. Data in transit is protected by TLS 1.2+ (the same standard used by online banking). Data at rest is encrypted using AWS KMS. Session cookies are encrypted and HTTP-only. We also use HSTS to ensure your browser only ever connects to us over HTTPS.

Can other users see my data?

Absolutely not. Each business account is completely isolated at the database level. Your data is never mixed with or visible to any other user. Even if you use an accountant, they can only see the specific businesses you’ve given them access to.

What happens if I want to delete my account?

You have full control over your data. Under GDPR, you can request that we anonymise or delete all your personal information. We have automated tools in place to honour these requests thoroughly and promptly.

Do you handle my card details for payment?

No. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of payment security certification. Your card details are entered directly into Stripe’s secure form and never pass through our servers.

Ready When You Are

Ready to trust your books to Joy Pilot?

Bank-level security, GDPR compliance and best-practice encryption — all included from day one. Start your free trial and see for yourself.

Start Free 1-Month Trial See how it works

No credit card needed · Set up in minutes · Cancel anytime