The following describes the organizational and technical measures we implement platform-wide to prevent unauthorized access, use, alteration, or disclosure of customer data. Our services operate on Amazon Web Services (“AWS”); this policy describes our activities within its instance on AWS unless otherwise specified.
Incident Response Plan
We have implemented a formal procedure for security events and have educated all our staff on our policies.
When security events are detected, they are escalated to appropriate teams who are notified and assembled to rapidly address the event.
After a security event is fixed, we write up a post-mortem analysis.
The analysis is reviewed in person, distributed across the company, and includes action items that will make the detection and prevention of a similar event easier in the future.
We will promptly notify customers in writing upon verification of a security breach of our services that affects customer data. Notification will describe the breach and the status of our investigation.
Infrastructure
All our services run in the cloud. We do not run our own routers, load balancers, DNS servers, or physical servers.
All our infrastructure is spread across 3 AWS data centers (availability zones) and will continue to work should any one of those data centers fail unexpectedly. Amazon does not disclose the location of its data centers. As such, we build on the physical security and environmental controls provided by AWS. See http://aws.amazon.com/security for details of AWS security infrastructure.
All our resources are within their own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our network. Resource to resource communication is also restricted.
We use a secure backup solution for customer datastores and test backups regularly.
Data
Services and data are hosted in Amazon Web Services (AWS) facilities in the US only (us-east-1 and us-west-1).
Production environments are sandboxed from testing environments.
Data stores are accessible only by systems and personnel that require access.
Data access keys are stored separately from our source code repository and only available to the systems that require them.
Customer data is encrypted at rest using an industry standard AES-256 encryption algorithm.
All data sent to or from our systems is encrypted in transit using 256-bit encryption.
We engage certain sub-processors to process customer data. These sub-processors are:
Amazon Web Services, Inc. (US) – Hosting and storage
Auth0, Inc. (US) – Identity and access management
Unit Finance, Inc. (US) Banking-as-service platform
Plaid, Inc. (US) – Financial data connectivity
Atomic Financial, Inc. (US) – Direct deposit switch
Twilio, Inc. (US) – SMS functionality
Intercom, Inc. (US) – Customer support interface
Stripe, Inc. (US, IRE) – Billing and payments
Authentication and Authorization
Our services and applications are served 100% over https.
We run a zero-trust corporate network and there are no corporate resources or additional privileges from being on our network.
Two-factor authentication (2FA) and strong password policies are enabled on all third-party cloud services to ensure access is protected.
We utilize Auth0, an industry leader, for customer user authentication.
We require two-factor authentication (2FA) and strong password policies with our customer user authentication.
Public facing APIs are protected with OAuth 2.0, an industry standard for authorization.
Build and Deployment Builds and deployments are fully automated to safely and reliably rollout changes to applications and infrastructure within minutes.
Logging and Monitoring
All infrastructure activity and operational data is logged and monitored.
All user access to our applications is logged and audited.
A web application firewall (WAF) filters and monitors http traffic between the Internet and our web-based applications and services.
Security Audits and Certifications
Our system regularly undergoes third-party security reviews and penetration testing to identify potential vulnerabilities and ensure that they are addressed.
