PLANS AND PRICING SIGN IN

Security

The security of your data and personal information is of utmost importance to us. We work really hard to ensure that your data is kept safe. We want to tell you about the steps we take, as well as what you can do to keep your account secure. Where applicable, we'll provide supplementary technical information.

If you have a security issue you'd like to report to us, please email us on [email protected]. We'll endeavour to respond promptly.

Your connection to PocketSmith

Your connection to PocketSmith is always encrypted. That means that nobody is able to intercept the communication between your device and our network. This is especially important if you're using PocketSmith on a public WiFi network. Our transport security was given an A+ rating by SSL Labs (as of November 2019).

To ensure the most secure connection to PocketSmith, ensure you use a modern device with an up-to-date operating system.

Technical notes:

  • We support a range of TLS cipher suites that strike a balance between security and device support; the negotiated cipher suite may vary between devices. Older devices may only support weaker cipher suites.
  • Because we use Cloudflare, TLS is terminated at the network edge before a subsequent TLS request is made to our origin servers. See the Cloudflare section for further details.

Security of stored data

Your data is stored encrypted on our own physical servers. This means if someone was able to access the data centre where the servers operate, they'd be unable to retrieve any data from them.

Technical notes:

  • We don't encrypt fields in the database. Our application would need to decrypt those, and to do that it would have to possess the decryption key. If a bad actor broke into an application server, they could just get that decryption key and render the whole scheme useless.
  • Instead, we focus our efforts on preventing unauthorized access in the first place.
  • Your password is not stored in the clear, instead it is hashed with the bcrypt algorithm and then stored. This hash cannot be reversed into your actual password.

Bank feed security

PocketSmith uses two companies to deliver bank feeds for our customers: Yodlee and Salt Edge.

All bank feeds connections are read-only. It is not possible for PocketSmith to transfer, move, or do anything else with your bank accounts aside from gathering your transactions and displaying them in your PocketSmith account.

Yodlee bank feeds

Yodlee is the industry leader in account aggregation services. Founded in 1999, the US company provides digital financial solutions for over 20 million paid users and over 850 financial institutions and financial technology innovators, including Xero, Billguard and Personal Capital. 11 of the 20 largest U.S. banks trust and use Yodlee for their services. We use Yodlee to provide bank feeds in many different countries, supporting over 12,000 institutions.

Yodlee have an excellent security track record, having reported no known data breaches to date.

In order to establish a bank feed with Yodlee, PocketSmith must collect your banking credentials and pass them along to Yodlee to store securely. PocketSmith does not store your banking credentials.

We suggest enabling multi-factor authentication (MFA) at your bank, which means that additional information from you is required in order to sync your bank feed. However, this does mean that PocketSmith will be unable to sync your bank feed automatically without you present.

Salt Edge bank feeds

Salt Edge is a leading global financial provider that adheres to the highest international standards of privacy and security. We use Salt Edge to provide bank feeds for our UK and EU customers. Where possible, Salt Edge will use Open Banking to connect to your bank, which doesn't require us or Salt Edge to know your banking credentials.

In some cases where open banking support is unavailable, Salt Edge will require your banking credentials in order to connect to your bank. In these cases, your banking credentials are submitted directly to Salt Edge and never touch PocketSmith's network.

Credit card details

We don't store the credit card details used for billing your subscription, instead we use Payment Express, a third party who specializes in storing credit card data in a secure and compliant way.

When you enter your credit card information, we pass it straight on to Payment Express who then provides us an identifier we can use to bill the card going forward, a process called tokenization. PocketSmith doesn't store your credit card data, and it's disposed of on our side as soon as we pass it on to Payment Express.

For further information, please refer to their privacy policy.

Two-factor authentication

PocketSmith offers two-factor authentication to all users, paid or not. When enabled, an additional code generated by your phone or other authenticator device will be required in order to log in to PocketSmith. See our two-factor authentication guide on the Learn Center.

Login history and authorized apps

PocketSmith logs all successful login attempts, which are available to view under the Security section of the Settings menu in PocketSmith. We recommend keeping an eye on those logs, and if you spot any suspicious activity, ensure your devices are secure and change your password immediately.

You can also manage which apps have access to your PocketSmith account, also available under the Security section. You may wish to revoke access to the PocketSmith mobile app if you lose your phone, or revoke access to any other apps you no longer use or don't recognize.

Personnel

Only a strict subset of PocketSmith employees are able to access customer data.

To help you with a support request, our support team may access your account in order to diagnose the issue you're facing—being able to see the problem for ourselves will help us resolve the issue for you faster. If you don't want us to access your account, please mention this when you contact us.

In order to perform their roles, some of our engineering and operations teams have access to customer data.

All PocketSmith employees are bound to confidentiality agreements.

Application and network security

We have a team of highly skilled engineers who work on PocketSmith. We have a strong culture of peer review to make sure the code we write is robust and secure. We regularly revisit components of the app and harden them.

Cloudflare

PocketSmith uses Cloudflare, a service which sits in front of PocketSmith. It helps to accelerate your PocketSmith experience and thwart common attacks before they reach our servers.

Technical notes:

  • Cloudflare terminates TLS when your request reaches Cloudflare's edge servers, before making its own TLS request to our origin servers. The connection between you and Cloudflare is encrypted, as well as the connection between Cloudflare and PocketSmith.
  • However, during the termination process, the unencrypted contents of your communication is available to Cloudflare.

Physical hardware security

Our servers are protected by various physical security measures, managed by the folks who run the data center.

  • Dual-factor authentication for entry
  • Concrete block and steel construction
  • Staff always present on-site
  • Around the clock monitoring of all entries
  • Motion-activated cameras throughout
  • Man-trap entrance
  • Gated parking
  • Information
  • Features
  • Tour
  • Reviews
  • About
  • FAQ
  • News
  • Application
  • Sign In
  • Learn Center
  • Pricing And Sign Up
  • Terms Of Service
  • Privacy Policy
  • Cookie Policy
  • Security
  • Key Features
  • Live Bank Feeds
  • Budget Calendar
  • Multi Currency
  • Cash Flow Forecasts
  • Transactions
  • Net Worth
  • Mobile App
  • Desktop App
  • Memories
  • Bank Feed Support
  • Global
  • Australia
  • United Kingdom
  • Canada
  • New Zealand
  • Talk To Us
  • Contact
  • Careers
  • facebook-icon medium-icon twitter-icon linkedin-icon
© PocketSmith Ltd. All rights reserved