All bank connections are managed through Plaid, an API used by Coinbase, Robinhood, Truebill, and Venmo. Plaid uses 256-bit bank-grade SSL encryption, and does not under any circumstance relay your login credentials to us or any of their clients.
When we perform identity checks, the information you provide us is encrypted both in transit and at rest:
We use an API called VGS to store sensitive information. VGS is used by companies such as Brex and is backed by Visa. In essence, VGS allows us to substitute non-sensitive aliases (a form of synthetic data) in place of original values. Read more about VGS here.
While in transit, all data is encrypted with TLS/SSL.
For the non-sensitive personal identifiable information that is actually stored in our database (name and email), we use the AES-256 protocol for encryption-at-rest, and rotate the keys that could be used to read the data stored in our DB very frequently.
Important note: your SSN never touches our servers, it is only relayed to our KYC provider (Persona) and then stored in a secure vault managed by VGS.
Why do we collect your SSN in the first place? Because by creating a Slash account, you are opening a bank account with us through our partner bank. This means we are required by the Financial Industry Regulatory Authority (FINRA) — specifically rule 2090 — to verify your identity. We do this with the help of our KYC partner Persona, who cross-references the information you provide us with national databases to verify its validity. Persona is multi-billion dollar company used by the world's leading fintech companies.