From the careful selection of sub-service providers to technical and organizational measures to the ongoing training/sensitization of employees, Candis takes data protection seriously.

Here accordingly all important documents/information on the topic.

1. Our official documents & information

a) Our Privacy Policy

Each customer acknowledges the privacy statements in the registration process.

You can also find it when you're logged in in Candis in your profile settings under privacy policy.

b) Our data protection officer

Data protection officer in accordance with the Federal Data Protection Act:

Bitkom Servicegesellschaft mbH, Mr. Ali Tschakari

c) Contract Data Processing Agreement (DPA)

By using Candis, you commission Candis GmbH as a data processor. You can view and download the DPA here:

2) How does Candis ensure the security of my data?

a) Technical and organizational measures (TOMs)

Candis takes technical and organizational measures to protect data and continuously improves them in coordination with the appointed data protection officer.

Technical measures include, for example, end-to-end SSL encryption between the Candis data center and the browser. The data center itself is protected both technically and physically, data is backed up redundantly multiple times, and much more.

Organizational measures include, for example, strictly restricting access rights for Candis employees, professionally securing office space, and using complex passwords with regular changes.

Please refer to this article for details.

b) Careful selection of partners & service providers

We work exclusively with reputable companies that also convince us of their own data protection precautions. In addition to shareholders such as the Commerzbank Group and interface partners such as DATEV, cooperation partners such as Berliner Sparkasse, these are primarily service providers such as

finAPI (bank/credit card connection)

> interface provider used by DATEV, among others

finleap connect (formerly figo) (bank/credit card connection)

> participation of Deutsche Börse & Berliner Volksbank

Gini (OCR & data extraction)

> Participation of Deutsche Telekom

3. common questions in connection with data (protection)

a) Am I allowed to enter my online banking access data into Candis at all?

Yes. In 2016, the German Federal Cartel Office declared online banking regulations of banks unlawful that prohibit their customers from using PIN and TAN independently of banks (see press release of 05.07.2016).

Furthermore, the European Payment Services Directive (PSD/PSD2) was already revised in 2015. All EU member states must implement the new guidelines in national legislation by the end of 2017. Among other things, this regulates that the EU payments market will be opened up to so-called "payment initiation service providers" and "account information service providers" (cf. press release dated 08.10.2015).

b) What data is processed by Candis?

In order to fully use Candis, we need transaction data from your accounts & cards in addition to your receipts & documents. The connection of your bank accounts is organized by figo or finAPI, our banking service providers, depending on your selection. As German companies, they are bound by German and European data protection law. The access data to accounts & cards are stored by the providers in a bank-certified data center. Candis has no access to this access data.


Do you have questions about data protection?

Contact us in the chat below right or write to

Did this answer your question?