Security & compliance

The security model, in full.

Last updated: 17 July 2026

This page is the long version of the landing's security section — written for the person deciding whether to let an AI assistant near an account. It describes what the connector can see, what it can do, which switches control that, and where the sandbox ends. Every claim below maps to a concrete mechanism you can inspect: the connector is an MCP server you run yourself, configured by environment variables you set yourself.

The principle: locked down by default

An assistant with reach into money must start with no reach at all. So every capability here is opt-in, and the dangerous ones are opt-in twice. The connector ships read-only. Writes are disabled by an environment variable that you have to flip deliberately, and a live transfer still needs a second, human confirmation outside the chat. There is no mode in which typing a persuasive prompt is enough to move money.

The corollary: nothing on this page asks you to trust the model. The controls sit below the model — in the connector's configuration and in the Satchel app — so they hold even if the assistant is confused, compromised, or simply wrong.

Read-only by default

Six of the seven tools only read: accounts, balances, cards, transactions, a single payment, a cash-flow summary. The seventh, move_money, is the only tool that can change anything — and it refuses in every mode, sandbox and live alike, until you set SATCHEL_ALLOW_WRITES=true in the connector's environment. Not a settings toggle in a UI, not a phrase the assistant can say — an environment variable on your machine.

In live mode there is a second gate on top: a transfer prepared by the assistant is confirmed by you in the Satchel app with a second factor. The assistant drafts; you approve. No payment leaves without your tap.

What your assistant sees — and what we never see

The MCP server runs locally, on your machine, with your credentials. When a tool returns account data, that data flows into your assistant's context — Claude, Cursor, whatever you connected — under your agreement with your AI provider. That is the honest shape of the privacy question, so we state it plainly:

  • This site and the connector run no LLM. We never send your account data to a model ourselves.
  • We receive no conversation content. What you say to your assistant, and what it says back, stays between you and your AI provider.
  • Which tool results your assistant retains, and for how long, is governed by your AI provider's terms — read them with the same care you're reading this.

Sessions and credentials

The connector authenticates with your credentials and receives a session token that expires after 30 minutes. When it expires, the connector re-mints it on demand and retries — you never handle the token, and no long-lived secret ever appears in your chat history for a model to memorise or a transcript to leak.

Configuration lives in environment variables on your machine — SATCHEL_BASE_URL, SATCHEL_USERNAME, SATCHEL_PASSWORD, SATCHEL_MODE — set once in your MCP client config. Nothing is stored on our side: no credential vault, no synced settings, no server of ours holding your key.

The sandbox boundary

You start against seeded, synthetic data — accounts, cards and a ledger that are live-shaped but fictional. No real funds, no real accounts, nothing moves in the real world; a sandbox "transfer" only mutates the seed. This is why you can safely let an assistant loose on day one.

Going live changes the URL and the credential — nothing else. The same tools, the same data shapes, the same write gate. But the credential itself is not self-serve: live accounts are opened by a personal manager with full onboarding checks under satchel.eu terms. There is no anonymous path from this page to real money, and joining the waitlist is not an account application.

The rails underneath

The live API is operated by Satchelpay UAB (reg. No. 304628112, Upės St. 21-1, LT-08128 Vilnius, Lithuania), holder of electronic money institution licence No. 28 issued by the Bank of Lithuania. Satchel is an EMI, not a bank. This page covers the MCP connector and this site; for the security of the regulated e-money service itself — safeguarding, cards, the app — see satchel.eu/security.

Responsible disclosure

Found a vulnerability — in the connector, the sandbox, or this site? Write to support@satchel.eu with steps to reproduce. We read every report. Please don't test against live systems or other people's data; the sandbox exists precisely so you don't have to.