We’re serious about data security and privacy.
Our application is built on a world-class, modern cloud infrastructure designed to ensure the safety of your data. We have chosen proven third party cloud providers like Amazon Web Services, who have a consistently excellent security track record.
Ensuring the safety and privacy of your data is baked into our everyday processes throughout our organization. We take regular data backups and test recovery, run penetration testing, encrypt all data at rest and in transit, conduct static code analysis and third party vulnerability scanning, sanitize our logs, secure individual customers at the database level, and many other cloud security techniques.
We’re not in the business of selling your data (anonymized or otherwise). You own your data and we will never sell it to third parties. We also won’t look at your data unless you give us permission for a support case.
Scroll down for information about specific security practices, and read our privacy policy, customer terms of service, list of third party data subprocessors, and GDPR commitment in our legal center.
bankIO is compliant with the EU’s General Data Protection Regulation (GDPR) with a privacy-by-design architecture, clear privacy policies for visitors and users, and features to help people manage and download their personal information.
Read more about our GDPR commitment
Security features
Product security
| Permissions | Global access roles allow admins to set permission levels for everyone in the workspace, and project-level access controls allows permission levels to be set for specific projects. |
| Secure passwords | bankIO enforces a password complexity standard and credentials are stored using BCrypt with unique salts. |
| SSO via Google | Admins can instruct users to authenticate to bankIO in one click using their Google account. They’ll never need to set a password with us to log in to their account or to sign up, even if they’re creating a new account. |
| High availability | We ensure high availability with automated and manual testing, statically typed languages, regular performance benchmarking, production logging and alerts, 24/7 on-call rotations, fast continuous deployments, and industry-standard cloud infrastructure. |
Network and application security
| Hosting and storage | bankIO services and data are hosted in Amazon Web Services (AWS) facilities (eu-central-1) in the United States. All data is encrypted at rest via AWS RDS AES-256 Encryption. |
| RLS policies | Customer segregation and access to all data is enforced through PostgreSQL Row Level Security (RLS) using transaction-scoped config variables, referenced in RLS policies. |
| Encryption | Data is encrypted while moving between us and the browser with Transport Level Security (TLS). All SSL certificates are issued and managed through AWS, and we enable HTTP Strict Transport Security (HSTS). We score an ‘A+’ rating on Qualys SSL Labs‘ tests. |
| Obfuscated data | Customer data is obfuscated in the database using roles. During a support case, if it is absolutely necessary to view customer data, we will seek written permission from the customer first via email. |
| Vulnerability scanning | bankIO uses third party security tools to scan for vulnerabilities. Our engineers respond to issues raised. We have no vulnerabilities on the OWASP Top 10 and a maximum CVSS score of 0.0. |
| Penetration testing | We perform independent third-party manual penetration testing on an annual basis. |
| Brute force prevention | We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout. We also use a large email domain blacklist to prevent malicious actors and spam. |
| Backups & monitoring | We use AWS RDS’ backup solution for datastores that contain customer data. Data is automatically backed up every 10 minutes, and we keep daily backups for 14 days. On an application level, we store logs for all activity through AWS CloudWatch, and all actions taken on production consoles or in the application are logged. Logs are stored for 30 days. |
| Incident response | Our engineering team has a 24 / 7 on-call rotation and escalation policy, with production alerts captured and automatically escalated. |
Compliance
| CAIQ | We have completed the Cloud Security Alliance (CSA) CAIQ self-assessment questionnaire, which is available through the CSA’s STAR registry. |
| VSA | We have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire, contact us for a copy. |
| Google VSAQ | We have completed responses for Google’s open source vendor security assessment questionnaire (VSAQ) tool, contact us for a copy. |
| OWASP | The most recent penetration test reported no vulnerabilities on the OWASP 2013 Top 10 and OWASP 2017 Top 10. |
Other security features
| Employee training | All employees complete annual Security and Awareness training. |
| Confidentiality | All employee and contractor agreements include a confidentiality clause. |
| Background checks | We perform background and reference checks on new employees to the full extent permitted by local privacy legislation. |
| Policies | Our internal security policies cover a range of topics, and are updated frequently and shared with all employees and contractors. |