5 minutes Account Access

SAPI takes your business and personal data security seriously. This guide explains the security measures we use to protect your information, how we authenticate your identity, and best practices for keeping your account secure.

Data in transit
All data sent between your browser and SAPI's systems is encrypted using TLS 1.2 or higher (bank-grade encryption).

Data at rest
Your personal information, business data, and payment history are encrypted when stored on SAPI's servers.

UK-based servers
Your data is stored on secure, UK-based servers with strict access controls.

Limited access
Only authorized SAPI staff (underwriting, servicing, collections, compliance) can access your data, and only when necessary for servicing your advance.

Access logging
All data access is logged and monitored for suspicious activity.

SAPI Group Limited (FCA Annex 1 Firm Reference: 1023135) and SAPI Origination Limited (FCA Annex 1 Firm Reference: 1023196) are registered with the Financial Conduct Authority as Annex I firms under the Money Laundering Regulations 2017 for AML supervision.

This means we follow rigorous anti-money laundering and financial crime prevention standards.

GDPR compliant
SAPI complies with UK GDPR and Data Protection Act 2018.

ICO registered
- SAPI Group Limited: ICO Registration ZA927191
- SAPI Origination Limited: ICO Registration ZB917929

Your rights:
- Access your data
- Correct inaccurate data
- Request deletion (subject to legal retention requirements)
- Object to processing
- Data portability

Exercise your rights: Contact [email protected]

When you contact SAPI for sensitive changes (bank account updates, business structure changes, balance inquiries), we verify your identity through:

Based on information from your application and account:

Common verification questions:
- Date of birth (for directors/owners)
- Business registration number (Companies House number or UTR)
- Original advance amount
- Recent transaction amounts or dates
- Advance funding date

Why we ask:
Only you (or authorized directors/owners) should know these details, confirming your identity.

For email-based requests (changing contact details, requesting statements):

Verification process:
- You email from your registered email address
- We may send a verification code to that email
- You reply with the code to confirm

Why it works:
Access to your registered email proves you're authorized.

For phone-based requests:

Verification process:
- We ask security questions (see above)
- We may call back your registered phone number
- We may send SMS verification codes

Caller ID limitations:
We don't rely solely on caller ID (easily spoofed). Security questions are required.

For significant changes (bank account, ownership, business structure):

Documents we may request:
- Photo ID (passport or driving licence)
- Proof of address (utility bill, bank statement dated within 3 months)
- Companies House confirmation (for company changes)
- Bank statement showing new account details

How to submit:
- Email scans/photos to [email protected]
- Upload via secure link (if provided)
- Post original copies (rarely required)

Processing time: 2-3 business days for document verification

We will never request:
- Your full online banking password or PIN
- Remote access to your computer
- Payment to personal bank accounts (we only use official business accounts)
- Credit card details over phone (we use secure portals like DocuSign and GoCardless)
- Immediate payment to unusual accounts

If someone claiming to be SAPI asks for these, it's a scam. Hang up and call +44 20 3868 4990 directly.

Official emails come from:
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- Other @sapi.com addresses from specific team members

NOT from:
- @gmail.com, @outlook.com, @yahoo.com
- Misspelled domains (@sappi.com, @sapi-uk.com, etc.)
- Suspicious domains (@sapi-support.com, etc.)

Official phone number:
+44 20 3868 4990

Red flags for phishing:
- Urgent requests for immediate action
- Threats of legal action without prior warning
- Requests for sensitive information via email
- Links to non-SAPI websites
- Spelling or grammar errors
- Generic greetings ("Dear Customer" instead of your business name)

If you receive suspicious communications:
1. Do NOT click links or provide information
2. Do NOT call phone numbers in the suspicious email
3. Forward to [email protected] with subject "SUSPECTED PHISHING"
4. Call SAPI directly at +44 20 3868 4990 to verify legitimacy

Your business email is the primary way SAPI communicates with you:

Security checklist:
- [ ] Strong, unique password (12+ characters)
- [ ] Two-factor authentication enabled
- [ ] Regular password changes (every 6-12 months)
- [ ] Secure device (updated antivirus, no malware)
- [ ] Don't access on public WiFi without VPN

If your email is compromised:
Contact SAPI immediately at +44 20 3868 4990 to update to a new email address.

Your payment processor login protects your business revenue:

Security checklist:
- [ ] Strong, unique password
- [ ] Two-factor authentication enabled (all processors offer this)
- [ ] Regular login monitoring (check for suspicious access)
- [ ] Notification alerts enabled (for large transactions, account changes)

If compromised:
1. Contact your payment processor immediately (Stripe, Square, etc.)
2. Reset password and enable 2FA
3. Review recent transactions for fraud
4. Contact SAPI at [email protected] to reconnect Open Banking securely

Application data:
- Business registration details
- Director/owner information
- Contact details
- Business bank account information

Payment processing data:
- Transaction history (via Open Banking)
- Daily card sales volumes
- Refunds and chargebacks

Repayment data:
- Direct Debit collections
- Outstanding balance
- Payment history

SAPI cannot access:
- Your customers' personal information (names, emails, card details)
- Your online banking passwords or PINs
- Ability to make transactions through your payment processor
- Ability to withdraw or transfer funds from your accounts

We have read-only access to transaction data only.

Service providers:
- GoCardless (Direct Debit processing)
- Open Banking providers (transaction data access)
- Credit reference agencies (for underwriting and arrears reporting)
- Email service providers (for sending statements and notifications)

Legal requirements:
- HM Revenue & Customs (if legally required)
- Financial Conduct Authority (for AML supervision)
- Law enforcement (if compelled by court order)

We NEVER:
- Sell your data to third parties
- Share data for marketing purposes
- Provide data to competitors

You can revoke SAPI's Open Banking access anytime:

Via your payment processor:
1. Log into your payment processor (Stripe, Square, etc.)
2. Navigate to Settings → Connected Apps or Integrations
3. Find SAPI and click "Revoke Access" or "Disconnect"

Via SAPI:
Email [email protected] or call +44 20 3868 4990 to request disconnection.

Note: Revoking access during an active advance may require you to provide manual statements for SAPI to continue servicing your account.

Under UK GDPR, you have the right to:

Request a copy of all personal data SAPI holds about you.

How: Email [email protected] with subject "Subject Access Request"
​Include: Your full name, business name, SAPI account reference
​Response time: Within 1 month

Request corrections to inaccurate or incomplete data.

How: Email [email protected] or [email protected] with corrections
​Response time: Within 1 month

Request deletion of your personal data (subject to legal retention requirements).

How: Email [email protected] with subject "Data Deletion Request"
​Note: SAPI must retain certain data for regulatory compliance (typically 6-7 years after account closure)
​Response time: Within 1 month

Object to processing of your data for marketing purposes.

How: Email [email protected] or click "Unsubscribe" in marketing emails
​Note: You cannot object to processing required for servicing your advance

Request your data in a machine-readable format to transfer to another provider.

How: Email [email protected] with subject "Data Portability Request"
​Response time: Within 1 month

If you experience or suspect:
- Unauthorized access to your SAPI account information
- Phishing emails claiming to be from SAPI
- Suspicious phone calls from someone claiming to be SAPI
- Data breach or leak

Report immediately:
- Phone: +44 20 3868 4990
- Email: [email protected] with subject "SECURITY CONCERN"

SAPI will:
- Investigate immediately
- Take action to secure your account
- Notify you of any confirmed breaches
- Work with you to prevent fraud or unauthorized transactions

Q: Does SAPI have access to my customers' card details?
A: No. We see only aggregated transaction data (amounts, dates). We never see customer names, emails, card numbers, or personal details.

Q: Can SAPI make transactions through my payment processor?
A: No. Our Open Banking access is read-only. We cannot process payments, issue refunds, or make any changes to your payment processor account.

Q: How long does SAPI keep my data after I've repaid my advance?
A: We retain data for 6-7 years after account closure for regulatory compliance (AML, tax, financial records). After that, data is securely deleted.

Q: Can I request my data be deleted immediately after repaying?
A: No. Regulatory requirements mandate retention periods. However, you can request deletion of marketing preferences and non-essential data.

Q: Who at SAPI can access my information?
A: Only authorized staff in underwriting, servicing, collections, and compliance teams. Access is logged and monitored. Customer service cannot access data beyond what's necessary to answer your specific query.

Q: Is my data stored outside the UK?
A: No. All SAPI customer data is stored on secure UK-based servers.

Q: What happens to my data if SAPI is acquired or goes out of business?
A: Your data would be transferred to the acquiring entity (with notification to you) or securely deleted in accordance with data protection regulations.

Security concerns: [email protected] or +44 20 3868 4990
​Privacy/data requests: [email protected]
​Email address changes: [email protected]
​Suspected fraud: +44 20 3868 4990 (urgent)

Email: [email protected]

Phone: +44 20 3868 4990

Business Hours: Monday-Friday, 9am-5pm GMT