All bank connections are managed through Plaid, an API used by Coinbase, Robinhood, Truebill, and Venmo. Plaid uses 256-bit bank-grade SSL encryption, and does not under any circumstance relay your login credentials to us or any of their clients.
When we perform identity checks, the information you provide us is encrypted both in transit and at rest:
We use an API called VGS to store sensitive information. VGS is used by companies such as Brex and is backed by Visa. In essence, VGS allows us to substitute non-sensitive aliases (a form of synthetic data) in place of original values. Read more about VGS here.
While in transit, all data is encrypted with TLS/SSL.
For the non-sensitive personal identifiable information that is actually stored in our database (name and email), we use the AES-256 protocol for encryption-at-rest, and rotate the keys that could be used to read the data stored in our DB very frequently.
Important note: your SSN never touches our servers, it is only relayed to our KYC provider (Alloy) and then stored in a secure vault managed by VGS.
Because we are letting you create cards and transfer money, we are required by the Financial Industry Regulatory Authority (FINRA) — specifically rule 2090 — to verify your identity. We do this with the help of our KYC partner Alloy, who cross-references the information you provide us with national databases to verify its validity. Alloy is used by banks such as Ally and by every major fintech company in the United States.