Security - what you need to know
The security of your data and personal information is of utmost importance to us. We work really hard to ensure that your data is kept safe. In this overview, we outline the ways you can help maintain the security of your own account as well as the steps we take to protect it.
Do you have a security issue you'd like to report to us? Email us on [email protected]. We'll respond promptly.
In this user guide
Bank feed security
PocketSmith does not directly connect with your bank to sync your accounts and transactions. Instead, we use a bank feed provider called Yodlee to help us out. They've been in the industry since 1999, and are held in high regard. 11 of the largest U.S banks trust Yodlee for their services too.
Learn more about Yodlee and how we integrate with them: Yodlee and the security of bank feeds
How you can protect yourself
Increased security with two-factor authentication (2FA)
Use two-factor authentication to add an extra layer of security to your account. With 2FA, your account is protected by something you know (your password) and something you have (your phone). When you log in, you'll be prompted to enter a one-time code generated by your phone. Even if someone found out your password, they won't be able to access your account.
Learn more about how to set up 2FA in this user guide: Two-factor authentication (2FA) on your PocketSmith account
View your login history
In your PocketSmith settings ( Settings > Security) you can view login history for your account. If you spot any suspicious activity, ensure your devices are secure and change your password immediately.
How we protect you
Your connection to PocketSmith
Your connection to PocketSmith is always encrypted. That means that nobody is able to intercept your communication with us. This is especially important if you're using PocketSmith on a public WiFi network. Our transport security implementation was given an A+ rating (as of May 2019) by SSL Labs, which you can access here: https://www.ssllabs.com/ssltest/analyze.html?d=my.pocketsmith.com.
Your data is stored on our own physical servers and is encrypted at rest at the device level. This means if someone was able to access the data centre where the servers operate, they'd be unable to retrieve any data from them.
We don't encrypt fields in the database because it wouldn't be any more secure. Our application would need to decrypt those, and to do that it would have to possess the decryption key. If a bad actor broke into an application server, they could just get that decryption key and render the whole scheme useless.
Your password is not stored in the clear, instead it is hashed with the bcrypt algorithm and then stored. This hash cannot be reversed into your actual password.
Application and network security
We have a team of highly skilled engineers who work on PocketSmith. We have a strong culture of peer review to make sure the code we write is robust and secure. We regularly revisit components of the app and harden them.
We use Cloudflare to help thwart common attacks at the network edge, as well as protection from DDoS attacks.
Physical hardware security
Our servers are protected by various physical security measures, managed by the folks who run the data center.
- Dual-factor authentication for entry
- Concrete block and steel construction
- Staff always present on-site
- Around the clock monitoring of all entries
- Motion-activated cameras throughout
- Man-trap entrance
- Gated parking