Security Policy

Last updated: 2020-09-18

We use this service because we feel safe using it, for whatever that's worth to you. There is a risk associated with giving out your bank account credentials (to us or to any other website that asks for them). Here are the things we do to mitigate that risk:

User accounts

Authentication: There are no passwords for the SimpleFIN Bridge. We send you an email address with an expiring link to sign in. This is the equivalent to the "Reset Password" process for other websites.

Two-Factor Authentication: We recommend you enable SMS 2FA for any data-sensitive actions.

Monitoring: You will be notified every time your bank transaction data is accessed from a new IP address. You can optionally provide a list of IP addresses that are allowed access and deny all others.

Data

In transit: TLS is used for all server-to-server communication.

Bank credentials: We outsource to MX to securely store and access your financial institutions. No bank account credentials ever touch our servers.

Credit cards: We outsource to Stripe to securely store and process credit cards. No credit card information ever touches our servers.

Servers

Hosting: We host our servers with DigitalOcean.

Access: Access to servers is strictly limited to only those that need it via VPN-secured, keyed SSH.

Throttling: Access to servers is rate-limited to limit brute-force attacks.

Configuration: Industry standard best-practices are used to configure and update all services, firewalls, accounts, processes and databases.