Security Policy

Last updated: 2021-10-18

We use this service because we feel safe using it, for whatever that's worth to you. There is a risk associated with giving out your bank account credentials (to us or to any other website that asks for them). Here are the things we do to mitigate that risk:

Third-Party Audit

We have employed a third-party security company to perform testing against this service. View a summary of the report here.

User accounts

Authentication: There are no passwords for the SimpleFIN Bridge. We send you an email address with an expiring link to sign in. This is the equivalent to the "Reset Password" process for other websites.

Two-Factor Authentication: We recommend you enable SMS 2FA for any data-sensitive actions.

Monitoring: You will be notified every time your bank transaction data is accessed from a new IP address.


In transit: TLS is used for all server-to-server communication.

Bank credentials: We outsource to MX to securely store and access your financial institutions. No bank account credentials ever touch our servers.

Credit cards: We outsource to Stripe to securely store and process credit cards. No credit card information ever touches our servers.


Hosting: We host our servers with DigitalOcean.

Access: Access to servers is strictly limited to only those that need it via VPN-secured, keyed SSH. If staff requires access to a users' transaction information for debugging purposes, the user must first specifically grant debugging access. The number of transactions accessed will be logged. Debugging access granted to staff automatically expires and can also be explicitly revoked by users.

Throttling: Access to servers is rate-limited to limit brute-force attacks.

Configuration: Industry standard best-practices are used to configure and update all services, firewalls, accounts, processes and databases.