YNAB tree logoAustralian flag
It looks like you're located in Australia.
We have an Australian version of our website.

Please confirm your location and we’ll send you to the appropriate site!
I'm in Australia
No, I'm not in Australia

Security

We like to joke around a lot, but here is where we stop and become quite serious.

Watch "How YNAB Protects Your Data." Video length: 1 minute, 24 seconds

Last Modified: October 7, 2025

Access

The YNAB Team does not access or interact with customers’ data as part of normal operations. There are cases where a customer requests that YNAB access their information, or where required by law. All data is access-controlled, accompanied by customer approval, and carries with it documentation surrounding the reason for access and the access start and end time.

(See our Privacy Policy for details on how we might use aggregate data for internal business purposes.)

Your YNAB account password is one-way salted and hashed using multiple iterations of a key derivation function for passwords. (Those sound like made up words, but these are best practices!) Even if someone were to steal the YNAB database of passwords, they would not know your password and would be forced to (very slowly!) guess every possible password in order to find it.

We prevent brute force password attacks (where an attacker attempts to guess the password for an account many times in a row) and help you choose stronger passwords by ensuring that they are long, strong and random.

Also, should you (sadly) choose to delete your YNAB account, all of your financial data is completely and irreversibly removed from the YNAB database. We do not simply mark your account as inactive. We completely destroy all account data. (To be clear, you explicitly request this nuclear deletion. If you happen to let your account lapse accidentally, we don’t assume you mean DESTROY ALL MY DATA. That’d be a horrible assumption.)

Data Retention

We retain account data for a period of time after an account expires, whether through trial expiration or subscription expiration, unless you delete your account as described above.

More information on data retention can be viewed in our Privacy Policy.

Infrastructure

Our entire infrastructure is built on Heroku, which in turn is built on the technology of Amazon Web Services (AWS). Amazon continually manages risk and undergoes recurring assessments to comply with industry standards. Heroku’s entire security policy is here. Amazon’s physical infrastructure (and thus Heroku’s), are accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

PCI-DSS

PCI-DSS is a security standard that companies must adhere to when processing cardholder data. We use a PCI-DSS certified payment provider (Recurly) to process our credit cards, and have engineered our payment forms in such a way that your payment details are sent directly to Recurly’s systems rather than ours, further increasing security.

Direct Import

In order to provide Direct Import services, we partner with financial data aggregation specialists. In the context of YNAB, data aggregation is the process of collecting your accounts and transaction data from your financial institution and transmitting it to YNAB. You can learn more about this in our Help Docs. During this process, YNAB does not view or store your bank credentials, and instead relies upon our partners and their industry-leading security precautions to ensure your information is safe.

Some financial institutions enable Direct Import connections through a method called OAuth. OAuth allows YNAB to access your account and transaction data without you having to provide your online banking credentials to an intermediary. Instead, you can authenticate directly with your financial institution, who gives permission (through a digital token) for the aggregation specialist to receive the account and transaction information YNAB needs.

Traffic

All data sent between your computer and YNAB is bank-grade or better encryption. YNAB forces your browser to use an encrypted connection and won’t let your computer talk to our servers unless that connection is secure. We use industry standard data encryption at rest and in transit.

Social Engineering Security

This massive technical feat resulting in a moat of fire-breathing space dragons surrounding your data is useless if someone cons you into handing them your username and password.

  1. No YNAB Team member will ever initiate communication with you and ask for your username or password. If someone asks you for either of those, it’s not us. Only provide your username and password when logging into YNAB.
  2. YNAB will always use https://app.ynab.com as the domain name. Always look for this when logging into YNAB, or following any link clicked from a bookmark or email.

Always Vigilant

Bug Bounty Program

We have also taken a page from companies like Google and Amazon, and have a public bug bounty program where we pay “good guy” hackers that find any vulnerabilities or weaknesses in our systems. If you would like to report a vulnerability, please do so on our Bugcrowd Bounty Page.

Further reading

If you need to get our attention about anything else security related, please do so at security@ynab.com. To learn more about how we protect your data from a legal standpoint, we spell all of that out in our Privacy Policy. For even lighter reading, take a look at our Terms of Service.

Security Trust Center

Visit our Trust Center for a clear view of the security controls and measures we have in place to safeguard your information.

YNAB Tree Logo
Copyright © 2025, YNAB. All Rights Reserved.
YNAB is an agent of Plaid Financial Ltd., an authorised payment institution regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 (Firm Reference Number: 804718). Plaid provides you with regulated account information services through YNAB as its agent.
What Is YNAB?
Learn
Share YNAB
Pricing
Company
Programs
App
Legal
Company
AboutCareersPressYNAB: The Book
Programs
YNAB for the WorkplaceYNAB for College StudentsCertified CoachingYNAB For Good
App
StatusWhat's NewAPICancellationContact Support
Legal
TermsSecurityPrivacy PolicyCalifornia Privacy PolicyAccessibility
Your Privacy Choices