Security


FinLocker holds security and privacy as a top priority for consumers and our customers. We implement strong security practices similar to those implemented at top financial institutions. We examine best practices, monitor the existing landscape, and engage third-party consultants to constantly challenge our thinking. We invest in upgrading and enhancing FinLocker security and technology based on the changing threat landscape. We safeguard your information with bank-level security such as AES 256-bit TLS encryption and other leading defense-in-depth security controls.

Encryption

All Personally Identifiable Information (PII) or potential PII data is encrypted in memory, in transit, and at rest. We use TLS 1.2 (Transport Layer Security) transmitting data between your browser and FinLocker and between FinLocker and our partners. Then transmitting and storing data internally, we use AES (Advanced Encryption Standards) encryption which is one of the highest strength encryption technologies available. FinLocker uses the strongest version of AES known as AES-256.

Password and Account Protection

A username and password (we store a secure hash of your password – We never store your actual password) is required to enter FinLocker. If a username and/or password is entered incorrectly after a certain number of “tries”, the account is locked. The consumer is responsible for safeguarding their credentials according to the FinLocker privacy policy. FinLocker only has “read-only” access to the financial accounts with FinLocker, meaning it cannot be altered. Neither our systems nor the lender’s access to the consumer’s financial accounts have any ability to initiate or modify transactions of any type. They cannot perform any action that would in any way cause any financial transaction to occur. The consumer’s financial account data remains with their bank, brokerage, or credit card company; FinLocker only captures a copy of the data retrieved by the parties the consumer has granted access.  When you enroll for a consumer credit report we cannot make any changes to your credit report or take any actions which will affect your credit score.

Physical Security

All data is processed and stored in Microsoft Azure U.S. data centers. Microsoft takes a layered approach to physical security, to reduce the risk of unauthorized users gaining physical access to data and datacenter resources. Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the data center floor.

Firewalls and Other Security Precautions

FinLocker has a variety of state of the art technologies to protect the consumer’s information such as firewalls, intrusion prevention systems, inherent security and monitoring by Microsoft of the Azure data centers, networks, and servers.

Third-Party Audit

FinLocker annual audits such as the SOC 2 Type 2 audit which tests the effectiveness of a service provider (FinLocker’s) security, confidentiality, and operational controls. The American Institute of Certified Public Accountants (AICPA) has developed the Service Organization Controls (SOC) framework, a framework for controls that safeguard the confidentiality and privacy of information stored and processed by a service provider.   

External Security Assessments

FinLocker utilizes independent, third-party security experts to assess our system for vulnerabilities and validate appropriate security controls and protection. Several types of tests are performed on a recurring basis including web application vulnerability assessments and external penetration tests