Budgit takes the security of our customers very seriously. We use industry-leading practices and technologies to keep information safe. Additionally, because we do not monetize user data, we aim to minimize any personally identifiable (PII) data we store about end-users.
All data is encrypted at rest with AES-256, block-level storage encryption
We encrypt all data transmission using AES 256-bit encryption. This is the industry-leading encryption standard used by large banks and governments.
For the highest available level of security and trust, we use an Extended Validation SSL certificate. This kind of certificate is subject to a comprehensive verification process to prove that a website belongs to a real company. When accessing Budgit, most modern browsers will show our company's legal name - Budgit, Inc. - in the address bar, next to (or instead of) our domain "https://gobudgit.com".
Budgit relies on Plaid for read-only access to customer's financial accounts. Our token-based integration allows customers to authenticate their bank credentials directly via Plaid, which means bank usernames and passwords never touch our servers or database. Instead of handling bank logins directly, we receive and store a secure token from Plaid, which we can use to access account and transaction data from Plaid.
Read more about Plaid's security policy here.
Budgit is built and hosted entirely on Heroku, which is a container-based cloud platform leveraging Amazon Web Services (AWS). Heroku and Amazon maintain rigorous security practices and are trusted by leading software companies and the US government to securely maintain critical infrastructure. All customer data is housed within Amazon's secure data facilities.
Read more about Heroku's security policy here.
Our staff utilize mandatory two-factor authentication (2FA) for access to any internal and external systems. Additionally any end-users signing up or logging into Budgit's applications, must verify their accounts via their mobile phones.
If you have any specific questions, concerns, or potential vulnerability reports, please contact us at firstname.lastname@example.org.