The security of your data and personal information is of utmost importance to us. We work really hard to ensure that your data is kept safe. We want to tell you about the steps we take, as well as what you can do to keep your account secure. Where applicable, we'll provide supplementary technical information.
If you have a security issue you'd like to report to us, please email us on [email protected]. We'll endeavour to respond promptly.
Your connection to PocketSmith is always encrypted. That means that nobody is able to intercept the communication between your device and our network. This is especially important if you're using PocketSmith on a public WiFi network. Our transport security was given an A+ rating by SSL Labs (as of November 2019).
To ensure the most secure connection to PocketSmith, ensure you use a modern device with an up-to-date operating system.
Your data is stored encrypted on our own physical servers. This means if someone was able to access the data centre where the servers operate, they'd be unable to retrieve any data from them.
All bank feeds connections are read-only. It is not possible for PocketSmith to transfer, move, or do anything else with your bank accounts aside from gathering your transactions and displaying them in your PocketSmith account.
Yodlee is the industry leader in account aggregation services. Founded in 1999, the US company provides digital financial solutions for over 20 million paid users and over 850 financial institutions and financial technology innovators, including Xero, Billguard and Personal Capital. 11 of the 20 largest U.S. banks trust and use Yodlee for their services. We use Yodlee to provide bank feeds in many different countries, supporting over 12,000 institutions.
Yodlee have an excellent security track record, having reported no known data breaches to date.
In order to establish a bank feed with Yodlee, PocketSmith must collect your banking credentials and pass them along to Yodlee to store securely. PocketSmith does not store your banking credentials.
We suggest enabling multi-factor authentication (MFA) at your bank, which means that additional information from you is required in order to sync your bank feed. However, this does mean that PocketSmith will be unable to sync your bank feed automatically without you present.
Salt Edge is a leading global financial provider that adheres to the highest international standards of privacy and security. We use Salt Edge to provide bank feeds for our UK and EU customers. Where possible, Salt Edge will use Open Banking to connect to your bank, which doesn't require us or Salt Edge to know your banking credentials.
In some cases where open banking support is unavailable, Salt Edge will require your banking credentials in order to connect to your bank. In these cases, your banking credentials are submitted directly to Salt Edge and never touch PocketSmith's network.
Akahu is a New Zealand based platform, dedicated to providing simple access to the data that organisations hold about you, and to share that data with trusted third parties like PocketSmith.
Akahu's solution for connecting to your bank has been in the market since 2017. They access banking data via the same mechanisms as your bank's own mobile apps. So when you're adding a connection via Akahu, it's the same thing as if you're registering a new device for your bank's mobile app.
In order to establish this connection, Akahu request your banking credentials and other details to establish a secure connection to your bank. These however are not stored anywhere, and never touch PocketSmith's network. The credentials are passed directly to your bank, and once the connection is established, Akahu receive an access token used to fetch data on an ongoing basis.
You're able to revoke Akahu's access any time from your bank's internal device management page.
We don't store the credit card details used for billing your subscription, instead we use Windcave, a third party who specializes in storing credit card data in a secure and compliant way.
When you enter your credit card information, we pass it straight on to Windcave who then provides us an identifier we can use to bill the card going forward, a process called tokenization. PocketSmith doesn't store your credit card data, and it's disposed of on our side as soon as we pass it on to Windcave.
PocketSmith offers two-factor authentication to all users, paid or not. When enabled, an additional code generated by your phone or other authenticator device will be required in order to log in to PocketSmith. See our two-factor authentication guide on the Learn Center.
PocketSmith logs all successful login attempts, which are available to view under the Security section of the Settings menu in PocketSmith. We recommend keeping an eye on those logs, and if you spot any suspicious activity, ensure your devices are secure and change your password immediately.
You can also manage which apps have access to your PocketSmith account, also available under the Security section. You may wish to revoke access to the PocketSmith mobile app if you lose your phone, or revoke access to any other apps you no longer use or don't recognize.
Only a strict subset of PocketSmith employees are able to access customer data.
To help you with a support request, our support team may access your account in order to diagnose the issue you're facing—being able to see the problem for ourselves will help us resolve the issue for you faster. If you don't want us to access your account, please mention this when you contact us.
In order to perform their roles, some of our engineering and operations teams have access to customer data.
All PocketSmith employees are bound to confidentiality agreements.
We have a team of highly skilled engineers who work on PocketSmith. We have a strong culture of peer review to make sure the code we write is robust and secure. We regularly revisit components of the app and harden them.
PocketSmith uses Cloudflare, a service which sits in front of PocketSmith. It helps to accelerate your PocketSmith experience and thwart common attacks before they reach our servers.
Our servers are protected by various physical security measures, managed by the folks who run the data center.