Security Manifesto

Updated Sept 24, 2020

Given the current environment where software abuse is rampant and breaches happen every day, we wanted to take a moment to be clear about the multiple steps we take to protect your information. By no means is this manifesto exhaustive. It’s primarily meant to serve as a way for you to quickly and easily understand the steps we take to protect you and your family.

We think about your security across four spectrums:

• How we store your information;

• How our team may access some of your information;

• How we leverage certain infrastructure partners to deliver our services;

• And how we protect your privacy at all times.

Storage

When using our Zeta Money Manager or Zeta Joint Cards, you will invariably share some of your financial information with our services. As such, we work hard to ensure that that information stays only with us, and is not targeted by potential hackers. 

First, we DO NOT store logins for your external financial institutions so as to remove the risk of having that information stolen. Instead, we securely connect to your financial institutions using a third-party tool called Plaid. Plaid is a widely trusted tool used by many leading financial services companies like Chime, Paypal and Robinhood. Plaid is regulated, audited, and vetted several times a year by accredited institutions, including the banking partners they work with. 

In the case of our Joint Cards product, we use stress-tested APIs via our banking partner, LendingClub Bank, N.A., to access your information in real-time. This allows us to leverage secure bank-technology to store your information and only access it for display purposes on our mobile apps. In some rare instances, we may need to store some of your financial data, in which case, that information is tokenized stored in our encrypted data storage only for as long as is necessary.

Access

Access for you and your partner.

We’re incredibly careful about our access protocols for yourself and between partners. We start by setting up individual logins for both you and your partner, including choosing a strong, secure password. That way, there’s no potential for someone to change your information or share that password without your knowledge. Once defined, your password is encrypted so that even if a hacker were to steal all of our users’ passwords, they wouldn’t be able to read them. And finally, we’ve implemented two-factor authentication for accessing your Zeta account so we can reduce the likelihood that anyone other than yourself would have access.

 If you choose to invite your partner to Zeta, we also follow a two-step authentication process to ensure we are communicating with the right person before exposing any personal or financial information with them. This way, we minimize any possibility of someone else accessing your information without your consent.

Access for our team.

Because finances are personal, our team does not access or interact with your personally-identifiable financial data unless we absolutely need to for customer service purposes. In the event that we do need to access this information, our team is trained, audited and compliant to specific access protocols that we’ve put in place as a company. In particular, we’ve implemented multiple systems to ensure that our team doesn’t go looking up your finances for kicks. However, we do analyze anonymous, aggregated data for internal business purposes or to surface insights for benchmarking.

 There are a few situations where your data *may* be accessed:

1. You explicitly give us permission to look at your data. This might be because you’re asking us to help you problem solve through your account or a particular transaction. In this instance, all user data is access-controlled to make sure we only specific people can access it in the first place and that those folks only see the minimum data needed to help resolve your request.

2. If one of our partners, like Plaid or LendingClub Bank, need to access your data (on their systems) to help us resolve an issue. Typically, this is done as part of a customer service request and may not be explicitly communicated by one of our team members.

3. Only a very small group of vetted and trained team members have access to our production database where your information is stored. They’re committed to an extra-strict data access standard and will be immediately dismissed should they violate our data access policy in any way. 

Infrastructure

Zeta’s infrastructure is built on Heroku, which leverages the Amazon Web Service (AWS) technology. Why should you care? Because this is the same tech trusted by many institutions and government agencies - the CIA, for example (yup, that CIA). Amazon and Heroku both have thorough security protocols which you can read all about here and here. For our bank connections, we use APIs provided by Treasury Prime, the direct partner for LendingClub Bank’s core systems. Treasury Prime is one of the industry’s leading vendors in providing secure and reliable data access in the highly regulated banking sector.

Privacy

At the end of the day, all of these security efforts in play impact how your privacy is handled at Zeta. We’ve taken the lead to outline exactly what information we collect, how we collect it, how we might use it and whom we may need to share it with in our Privacy Policy. That said, if you have any specific questions about our security protocols or practices, you can always reach out to us by emailing us at support@askzeta.com.