Our Security Manifesto
Given the current environment where software abuse is rampant and breaches happen every day, we wanted to take a moment to be clear about the multiple steps we take to protect our data.
We DO NOT store logins for your financial institutions so to avoid becoming a target from potential hackers. Instead, we securely connect to your financial institutions using a third-party tool called Plaid. Plaid is widely trusted tool used by many financial services companies like Betterment and Robinhood. Plaid is regulated, audited, and vetted several times a year by accredited institutions, and by the banks themselves. We've entrusted them with handling the connection to your bank on our behalf, and we simply have a data subscription to your transaction histories and account balances. They exceed the general practice policies the financial industry has put in place like PCI Compliance and SOC2.
Because finances are a personal thing, our team does not access or interact with your personally-identifiable financial data as part of our regular operations. While our team is able to see the institution and types of accounts you might have, we don’t see any balances or transactions. We’ve implemented multiple systems to ensure that our team doesn’t go looking up your finances for kicks. However, we do analyze anonymous, aggregated data for internal business purposes or to surface insights through our benchmarking tool.
There are two situations where your data *may* be accessed:
1. You explicitly give us access to look at your data. This might be because you’re signing up for our recommendations or asking us to help you problem solve through your account. In this instance, all user data is access-controlled to make sure we are only seeing what you want us to see.
2. Only a small group of people on our team have access to our production database where your information is stored. They’re committed to an extra-strict data access standard and will be immediately dismissed should they violate our data access policy in any way.
Lastly, we’re incredibly thoughtful about access protocols for you and your invited partner. We start by helping you choose a strong, secure password. Once defined, your password is encrypted so that even if someone were to steal all of our users passwords, they wouldn’t be able to read them. If you love Zeta enough to invite your partner, we follow a two-step authentication process with them before exposing what you’ve chosen to share with them. Why? Because we’re anal and want to be really, really sure.
Zeta’s infrastructure is built on Heroku, which leverages the Amazon Web Service (AWS) technology. Why should you care? Because this is the same tech trusted by many institutions and government agencies - the CIA, for example (yup, that CIA). Amazon and Heroku both have thorough security protocols which you can read all about here and here.