Security Standards
LAST UPDATED November 14, 2022
Access
The Approve Owl Team does not access or interact with an organization's data as part of normal operations. There are cases where an organization can requests that we access their data, or where required by law. However, we do analyze anonymous, aggregate data for internal business purposes. See our privacy policy for details.
Applicants can access their own data with a one-time password (OTP) tied to a phone number registered with our platform.
For organization users, password storage is one-way salted and hashed using multiple iterations of a key derivation function for passwords. Organization user access can also be managed by a third-party authorization suite such as Microsoft Azure Active Directory or Google Workspace.
We prevent brute force attacks on our systems with request rate limiting and exponential time delays.
Data Retention
If a member of your organization chooses to delete an applicant profile or if an applicant chooses to delete their own profile, We do not simply mark the profile as inactive. We completely destroy all related applicant data.
We retain profile data for a period of time after a profile expires, unless deletion is manually invoked as described above. Once a profile has become inactive beyond the period of time described in your organization's configuration, we will delete the related data.
Infrastructure
Our entire infrastructure is built on Heroku, which in turn is built on the technology of Amazon Web Services (AWS). This is the same technology trusted by government agencies. Amazon continually manages risk and undergoes recurring assessments to comply with industry standards. Heroku's entire security policy is here. Amazon's physical infrastructure (and thus Heroku's), are accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
PCI
PCI is an security standard that companies must adhere to when processing credit cards. We use PCI certified payment providers (Stripe and QuickBooks depending on invoicing) to process our credit cards, and have engineered our payment forms in such a way that your payment details are sent directly to their systems rather than ours, further increasing security.
Approve Owl does not store any organization or applicant payment details that would need to be governed by PCI.
Security Monitoring
We employ a variety of methods to monitor and alert our staff of security issues from automatic detection of vulnerable dependencies and static analysis of our application code to proactive network traffic monitoring.
Financial Institution Data
In order to provide access to financial details, we partner with financial data aggregation specialists Plaid. In the context of Approve Owl, data aggregation is the process of collecting your accounts and transaction data from your financial institution and transmitting it to Approve Owl. You authorize the aggregator to carry out this process on Approve Owl's behalf. You can learn more about Plaid's individual security policies and practices on their websites.
During this process, Approve Owl does not view or store your bank credentials, but relies upon our partners and their industry-leading security precautions to ensure your information is safe.
Some financial institutions enable connections through a method called OAuth. OAuth allows Approve Owl to access your account and transaction data without you having to provide your online banking credentials to an intermediary—in this case Plaid. Instead, you can authenticate directly with your financial institution, who gives permission (through a digital token) for Plaid to receive the account and transaction information Approve Owl needs to power your budget.
Third-Party Data Processors
Besides receiving Non-Public Information (NPI) from Plaid for our own processing, we do send NPI data out to the following data processors to verify or improve the quality of the data:
- SentiLink - SOC 2 Type 2 compliance, PCI compliance
We also send consumer data to following data processors, but the data we send is not considered NPI data:
Encryption
All data in transit between a user or applicant and Approve Owl is encrypted. Approve Owl forces browsers to use an encrypted connection and refuses insecure connections of any kind.
Database
Your data is encrypted at rest when stored on servers. Data is also encrypted in transit from the database servers and our applicant servers is encrypted. We also encrypt sensitive data such as social security numbers and other personally identifiable information (PII) within the database using a 256-bit encryption (AES-256-GCM).
Uploaded Documents
All uploaded documents are encrypted with a 256-bit encryption (AES-256-GCM) at rest and documents are also encrypted in transit to and from storage.
Further reading
If you need to get our attention about anything else security related, please do so at [email protected]. To learn more about how we protect your data from a legal standpoint, please view our privacy policy and terms of use.