We work with Yodlee and Rackspace, companies trusted by hundreds of financial institutions to keep client data secure. Yodlee’s data security meets or exceeds PCI and SAS 70 Level 2 standards. Our servers are located in Rackspace’s high security data center which also meets those standards and follows the ISO 27000 series information security framework.
All interactions with Blueleaf’s software run over secure HTTP with transport layer security (TLS, formerly SSL) protecting any communications from being intercepted. We authenticate our primary domain with an extended validation certificate from Thawte, a Verisign company, two of the oldest and most trusted names in Internet security.
To further ensure the security of data once it is decrypted on our servers, we use dedicated hardware for all client data. We never use shared servers — not even virtual private machines — for confidential information.
Although our servers are highly secure, unencrypted disks and backup tapes can still leak information. We never store your financial institutions’ usernames and passwords in any database, and your personal financial information is encrypted so that backups and used hard drives can only be restored with encryption keys stored off site. This provides comprehensive disaster recovery without sacrificing security.
In addition to working with partners who follow industry standards, we review and follow the practices outlined in PCI, SAS 70, ISO 27000 series, and BITS Voluntary Guidelines for Financial Services. From time to time, we employ external consultants or auditors to verify our compliance.
We’ve built our infrastructure to collect and store only the information we need to help you understand your finances. We intentionally do not collect sensitive data such as account numbers, birth dates or addresses, and never store your financial institutions’ usernames and passwords on our servers. Those usernames and passwords remain on our partners’ secure servers – the same servers that hold client data for Bank of America, Fidelity, and hundreds of other trusted institutions.
We’ll tell you if your password is easy to break so that you can make a better one, but we don’t require arbitrary rules that make it hard to remember. We don’t use security questions whose answers are relatively common (such as names of people, pets, or cities). And we’re constantly reading the latest security research to improve your experience and the safety of your information.