Security Policy

Last updated: 2024-08-27

We use this service because we feel safe using it, for whatever that's worth to you. There is a risk associated with giving out your bank account credentials (to us or to any other website that asks for them). Here are the things we do to mitigate that risk:

Third-Party Audit

We have employed a third-party security company to perform testing against this service. View a summary of the report here.

User accounts

Authentication: There are no passwords for the SimpleFIN Bridge. You may sign in either with a passkey or with a code sent to your email address. This is the equivalent to the "Reset Password" process for other websites.

Two-Factor Authentication: We recommend you enable 2FA using a TOTP authenticator for any data-sensitive actions.

Monitoring: You will be notified every time your bank transaction data is accessed from a new IP address.

Data

In transit: TLS is used for all server-to-server communication.

Bank credentials: We outsource to MX to securely store and access your financial institutions. No bank account credentials ever touch our servers.

Bank data: If staff requires access to a users' transaction information for debugging purposes, the user must first specifically grant debugging access. The number of transactions accessed will be logged. Debugging access granted to staff automatically expires and can also be explicitly revoked by users.

Credit cards: We outsource to Stripe to securely store and process credit cards. No credit card information ever touches our servers.

Servers

Hosting: We host our servers with DigitalOcean.

Access: Access to servers is strictly limited to only those that need it via VPN-secured, keyed SSH.

Throttling: Access to servers is rate-limited to limit brute-force attacks.

Configuration: Industry standard best-practices are used to configure and update all services, firewalls, accounts, processes and databases.