The security of your data and personal information is of utmost importance to us. We work really hard to ensure that your data is kept safe. We want to tell you about the steps we take, as well as what you can do to keep your account secure. Where applicable, we'll provide supplementary technical information.
If you have a legitimate security issue that you'd like to report to us, please email us on [email protected]. However, please note that we don't have a formal bug bounty program, and we won't respond to benign issues such as SPF record configuration.
Your connection to PocketSmith is always encrypted. That means that nobody is able to intercept the communication between your device and our network. This is especially important if you're using PocketSmith on a public WiFi network. Our transport security was given an A+ rating by SSL Labs (as of December 2021).
To ensure the most secure connection to PocketSmith, ensure you use a modern device with an up-to-date operating system.
Your data is stored encrypted at rest. This means if someone was able to access the data centre where the servers operate, they'd be unable to retrieve any data from them.
All bank feed connections are read-only. It is not possible for PocketSmith to transfer, move, or do anything else with your bank accounts aside from gathering your transactions and displaying them in your PocketSmith account.
Yodlee is the industry leader in account aggregation services. Founded in 1999, the US company provides digital financial solutions for over 20 million paid users and over 850 financial institutions and financial technology innovators, including Xero, Billguard and Personal Capital. 11 of the 20 largest U.S. banks trust and use Yodlee for their services. We use Yodlee to provide bank feeds in many different countries, supporting over 12,000 institutions.
In order to establish a bank feed connection with Yodlee, PocketSmith must collect your banking credentials and pass them along to Yodlee to store securely. The credentials are encrypted between you and Yodlee, which means PocketSmith is unable to access them while they traverse our network.
We suggest enabling multi-factor authentication (MFA) at your bank, which means that additional information from you is required in order to sync your bank feed. However, this does mean that PocketSmith will be unable to sync your bank feed automatically without you present.
Salt Edge is a leading global financial provider that adheres to the highest international standards of privacy and security. We use Salt Edge to provide bank feeds for our UK and EU customers. Where possible, Salt Edge will use Open Banking to connect to your bank, which doesn't require us or Salt Edge to know your banking credentials.
In some cases where open banking support is unavailable, Salt Edge will require your banking credentials in order to connect to your bank. In these cases, your banking credentials are submitted directly to Salt Edge and never touch PocketSmith's network.
Akahu is a New Zealand-based platform that has been in the market since 2017, dedicated to providing simple access to the data that organisations hold about you, and to share that data with trusted third parties like PocketSmith.
All data stored by Akahu is encrypted at rest, and they follow industry best-practice around how it's managed and transported. Akahu will request your banking credentials and other details to establish a secure connection to your bank or other provider. Where possible, Akahu won't store those credentials in order to offer the feed. However, depending on the provider, this might not be possible—in these cases, Akahu will store your credentials encrypted to keep them safe. Your credentials never touch PocketSmith's network. Read more about Akahu's safety measures.
We don't store the credit card details used for billing your subscription, instead we use Windcave, a third party who specializes in storing credit card data in a secure and compliant way.
When you enter your credit card information, we pass it straight on to Windcave who then provides us an identifier we can use to bill the card going forward, a process called tokenization. PocketSmith doesn't store your credit card data, and it's disposed of on our side as soon as we pass it on to Windcave.
PocketSmith offers two-factor authentication to all users, paid or not. When enabled, an additional code generated by your phone or other authenticator device will be required in order to log in to PocketSmith. See our two-factor authentication guide on the Learn Center.
PocketSmith logs all successful login attempts, which are available to view under the Security section of the Settings menu in PocketSmith. We recommend keeping an eye on those logs, and if you spot any suspicious activity, ensure your devices are secure and change your password immediately.
You can also manage which apps have access to your PocketSmith account, also available under the Security section. You may wish to revoke access to the PocketSmith mobile app if you lose your phone, or revoke access to any other apps you no longer use or don't recognize.
Only a strict subset of PocketSmith employees are able to access customer data.
To help you with a support request, our support team may access your account in order to diagnose the issue you're facing—being able to see the problem for ourselves will help us resolve the issue for you faster. If you don't want us to access your account, please mention this when you contact us.
In order to perform their roles, some of our engineering and operations teams have access to customer data.
All PocketSmith employees are bound by confidentiality agreements.
We have a team of highly skilled engineers who work on PocketSmith. We have a strong culture of peer review to make sure the code we write is robust and secure. We regularly revisit components of the app and harden them.
PocketSmith uses Cloudflare, a service which sits in front of PocketSmith. It helps to accelerate your PocketSmith experience and thwart common attacks before they reach our servers.