Security overview

Security is paramount at Balance. Shipping secure and reliable software is not just our top priority but also a key feature. Here is an overview of our security practices at Balance.

Your financial data is secure

We have read-only access to your financial data. In other words, we cannot debit, credit, or transfer money to and from your account. Balance does not store or have access to banking credentials. We cannot obtain them, we do not need them, and we do not store them. We use a trusted partner, Plaid, as our data aggregator to provide financial data securely.

Your data is protected

Sensitive and private information stored in our databases is encrypted and only accessible using a secret key. This means that if someone were to obtain access to the database, they would not be able to read any private data. However, they would be able to read the metadata, which is considered non-sensitive. In addition to the database being encrypted at-work, it is also encrypted when at-rest. This means that any backups of the database are encrypted and only accessible to system administrators. Lastly, whenever your data is in transit between you and us, everything is encrypted, and sent using HTTPS.

Your data is yours

We never sell or trade your data. Unlike services like Mint, which may show you targeted ads, your data remains secure within Balance.

We enforce good authentication regime

When you sign up for Balance, we ensure your password is secure and not compromised. We securely compare it to https://haveibeenpwned.com/ (a service which maintains a database of leaked and compromised passwords) and prompt you to change it if your password has been exposed. This safeguards you (and us) from attackers attempting to access your account. Additionally, we are also implementing two-factor authentication (like a security or biometric key) to further protect your account.

Audited access to production servers

All interactions with production servers via the console are recorded and audited. Sensitive data is hidden by default and an employee or contractor must obtain written consent from the user before accessing it. Access and commands are audited on a weekly basis.

Our subprocessors

Balance uses third-party services to run our applications. Here is a complete list of our subprocessors:

  • AppSignal — Infrastructure and application monitoring.
  • CloudFlare — Cloud services provider.
  • New Relic — Application performance monitoring
  • Plaid — Financial data provider.
  • PlanetScale — Managed database provider.
  • Hetzner — Cloud services provider.
  • Stripe — Payment processing services.

If you have any questions about security at Balance, please reach out to [email protected].