We like to joke around a lot, but here is where we stop and become quite serious.
The YNAB Team does not access or interact with customers’ data as part of normal operations. There are cases where a customer requests that YNAB access their information, or where required by law. All data is access-controlled, accompanied by customer approval, and carries with it documentation surrounding the reason for access and the access start and end time. A YNAB Team member’s violation of our customer data access policy will result in immediate dismissal.
Your YNAB account password is one-way salted and hashed using multiple iterations of a key derivation function for passwords. (Those sound like made up words, but these are best practices!) Even if someone were to steal the YNAB database of passwords, they would not know your password and would be forced to (very slowly!) guess every possible password in order to find it.
We prevent brute force password attacks (where an attacker attempts to guess the password for an account many times in a row). We also help you choose stronger passwords by 1) requiring that passwords be eight characters or longer, and 2) specifically preventing you from using the top 2,085 most commonly used passwords. (It’s quite an interesting list, should you choose to Google it.)
Your data is encrypted at rest when stored on our servers. That means that even IF someone could break in and steal the hard drives where your data is stored, they couldn’t read it. Also, should you (sadly) choose to delete your YNAB account, all of your financial data is completely and irreversibly removed from the YNAB database. We do not simply mark your account as inactive. We completely destroy all account data. (To be clear, you explicitly request this nuclear deletion. If you happen to let your account lapse accidentally, we don’t assume you mean DESTROY ALL MY DATA. That’d be a horrible assumption.)
We retain account data for a period of time after an account expires, whether through trial expiration or subscription expiration, unless you delete your account as described above.
Once an account has become inactive beyond the period of time described below, we will delete its budget data – if you don’t need YNAB, we don’t need your account data, and you probably don’t want us to have it. (Keep in mind that if you cancel your account, it remains active until the end of your subscription. The timeline below doesn’t start until that subscription expires.)
We will delete accounts and their data:
- For an expired trial, a minimum of one hundred-twenty (120) days after the expiration of the trial;
- For an expired subscription, a minimum of three years after the expiration of the subscription.
Our entire infrastructure is built on Heroku, which in turn is built on the technology of Amazon Web Services (AWS). This is the same technology trusted by government agencies, including our favorite, the CIA. Amazon continually manages risk and undergoes recurring assessments to comply with industry standards. Heroku’s entire security policy is here. Amazon’s physical infrastructure (and thus Heroku’s), are accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
PCI is an arduous security standard that companies must adhere to when processing credit cards. We use a PCI certified payment provider (Recurly) to process our credit cards, and have engineered our payment forms in such a way that your payment details are sent directly to Recurly’s systems rather than ours, further increasing security.
In order to provide Direct Import services, we partner with financial data aggregation specialists MX, Plaid, and TrueLayer. In the context of YNAB, data aggregation is the process of collecting your accounts and transaction data from your financial institution and transmitting it to YNAB. You authorize the aggregator to carry out this process on YNAB’s behalf. You can learn more about MX, Plaid, and TrueLayer’s individual security policies and practices on their websites. During this process, YNAB does not view or store your bank credentials, and instead relies upon our partners and their industry-leading security precautions to ensure your information is safe.
Some financial institutions enable Direct Import connections through a method called OAuth. OAuth allows YNAB to access your account and transaction data without you having to provide your online banking credentials to an intermediary—in this case MX, Plaid, or TrueLayer. Instead, you can authenticate directly with your financial institution, who gives permission (through a digital token) for MX, Plaid, or TrueLayer to receive the account and transaction information YNAB needs.
As a part of this OAuth process, you may be asked by your bank to authorize sharing information such as your name, street address, or phone number alongside your transaction data. We want to be clear on this point: As a part of this OAuth process, YNAB does not request, view, make use of, or store any data other than what’s required to process and display your accounts and transactions. That means that we will request and store individual transaction data (date, payee, amount, etc), as well as some account details (account name, balance, interest rate, etc), but we don’t request or store other personal information like your name, street address, or phone number. We’re not in the business of needing to know everything about you, and we’re proud of that.
All data sent between your computer and YNAB is bank-grade or better encryption. YNAB forces your browser to use an encrypted connection and won’t let your computer talk to our servers unless that connection is secure.
Specifically around the traffic encryption, we use 128-bit encryption (AES_128_GCM). This provides an extremely high level of encryption, considered industry standard.
We take advantage of a new security feature in your browser called “Content Security Policy” settings. This makes certain types of attacks against YNAB impossible.
Social Engineering Security
This massive technical feat resulting in a moat of fire-breathing space dragons surrounding your data is useless if someone cons you into handing them your username and password.
- No YNAB Team member will ever initiate communication with you and ask for your username or password. If someone asks you for either of those, it’s not us. Only provide your username and password when logging into YNAB.
- YNAB will always use https://app.ynab.com as the domain name. Always look for this when logging into YNAB, or following any link clicked from a bookmark or email.
Bug Bounty Program
We have also taken a page from companies like Google and Amazon, and have a public bug bounty program where we pay “good guy” hackers that find any vulnerabilities or weaknesses in our systems. If you would like to report a vulnerability, please do so on our Bugcrowd Bounty Page.