Last updated: May 24, 2026
Olik Split handles money-related information for groups of friends, families, and travel companions. We treat that data accordingly. This page summarizes the controls we apply across our infrastructure and applications. For the full data-handling picture see our Privacy Policy.
Private payment methods (PayPal handles, IBANs, Revolut tags, etc.) are encrypted on the device using AES-GCM-256 before leaving the client. Encryption keys are generated on first use and stored in the platform's hardware-backed keystore: the Android Keystore on Android, the iOS Keychain backed by CommonCrypto on iOS, and an origin-isolated WebCrypto key on the web build. The ciphertext is then encrypted a second time on the server with a separate server-managed key (defence-in-depth double encryption). Public payment methods shared inside a group are encrypted server-side only.
Account passwords are hashed with bcrypt (cost factor 12) and are never stored in plaintext. We have no mechanism to recover a forgotten password — only to reset it.
All traffic between the apps and our servers uses TLS 1.3 (TLS 1.2 fallback for legacy clients). HTTP is not accepted; we enforce HSTS with a long max-age and the includeSubDomains directive on oliksplit.app and api.oliksplit.app. Receipt images uploaded for AI scanning travel over the same TLS channel to a private Cloudflare R2 bucket and are accessed exclusively via signed URLs.
Server APIs use stateless JWT bearer tokens. Access tokens have a short 1-hour TTL; refresh tokens rotate on every use, so a stolen refresh token is invalidated as soon as the rightful client refreshes. Sign-in supports email/password, Google Sign-In, Sign in with Apple, and anonymous accounts that can be linked to a permanent identity later.
Users can additionally lock the app behind a PIN, biometric check (fingerprint or Face ID), and a single-use 8-character recovery code. PIN and recovery code hashes never leave the device. Biometric templates are managed by the operating system's secure enclave; the app only receives a yes/no result.
Our application servers and PostgreSQL database run on industry-standard managed hosting with isolated VPCs, hardened base images, and ingress restricted to the application load balancer. Administrative access is limited to a small operations team and protected with hardware-backed MFA and per-environment SSH keys. We do not name specific hosting providers publicly for operational-security reasons.
The production PostgreSQL database is backed up automatically every day. Snapshots are encrypted at rest and retained for 30 days. Backups are stored in a region separate from the live database. Restoration drills are performed on a non-production environment quarterly.
Authenticated API requests are logged with user ID, IP address, User-Agent, and outcome. Significant account actions (creating or modifying expenses, groups, settlements, and payment methods) are recorded in an immutable audit log. We monitor server health, error rates, and abuse signals continuously; alerts page the operations team.
Olik Split commissions an external third-party penetration test on an annual cadence covering the mobile applications, public API, and supporting infrastructure. Most recent test: TBD. Findings are tracked to closure and re-tested in the subsequent engagement. We will publish a summary letter to enterprise customers on request under NDA.
If you believe you have found a security issue, please report it under our Responsible Disclosure Policy. We acknowledge reports within 72 hours and work with researchers in good faith.
Security questions, audit requests, or compliance documentation: security@oliksplit.app.