We work with Amazon Web Services, a company trusted by hundreds of financial institutions to keep client data secure. Our server-instances are located in multiple AWS high-security availability zones and are compliant with the requirements outlined in SOC 2 and PCI. Additionally, AWS data centers are compliant with controls found in the the ISO 27001 information security framework.
All communications with Blueleaf’s software run over secure HTTPS with transport layer security (TLS 1.2, formerly SSL) protecting any communications from being intercepted. We authenticate our primary domain with an extended validation certificate from GeoTrust. We continuously monitor our network security posture through automated vulnerability scanning.
Strong encryption is the foundation of a mature information security program. We encrypt data both while in transit and at rest. Where possible, risks are avoided by reducing complexity. For example, sensitive information such as your financial institutions’ usernames and passwords are never stored.
In addition to working with partners who follow industry security best practices, we have implemented policies, procedures, and controls that align with SOC 2, ISO 27001, and the BITS Voluntary Guidelines for Financial Services. Periodically, we employ external consultants to assist in security control development, audit compliance, and perform penetration tests.
We’ve built our infrastructure to collect and store only the information we need to help you understand your finances. We operate under the principle that information is only collected and stored when there is an appropriate business need. Your financial institutions’ usernames and passwords are never stored on our servers. Those usernames and passwords remain on our partners’ secure servers – the same servers that hold client data for Bank of America, Fidelity, and hundreds of other trusted institutions.
We’ll tell you if your password is easy to break so that you can make a better one, but we don’t require arbitrary rules that make it hard to remember. We believe in a balanced approach. We don’t use security questions whose answers are relatively common (such as names of people, pets, or cities). And we’re constantly reading the latest security research to improve your experience and the safety of your information.