Connectivity to financial account data has dramatically increased the pace of financial innovation in recent years. As more innovative products and services are launched, it is critically important for data providers to offer safety and security in addition to scalability. That’s why Quovo designed our security policies from the ground up to ensure compliance with the highest quality standards in information and network security.
The Important Questions
Does Quovo sell my data?
No, Quovo does not sell any data to third parties.
Quovo exists to create the transparency that consumers need in order to make healthier financial decisions. This mission requires that we align our interests with both our partners and their clients, which makes reselling data a non-starter.
Where and how is my data stored?
Your data is stored on Quovo’s servers, which are hosted by Amazon Web Services (“AWS”) in a secure location that includes physical security, fire protection, and electronic shielding. Accessing the physical servers requires several levels of authentication, including biometrics, and security personnel monitor the system around the clock. Additionally, Quovo uses encryption at rest to ensure that even AWS personnel do not have access to sensitive data stored on their systems.
Where does my data go and how does it get there?
Once on Quovo’s platform, your data is transmitted exclusively to the websites and/or mobile applications where you have permitted access. All transmissions from Quovo are encrypted using strong TLS for web-based transfers or AES-256 for SFTP-based transfers.
When a new employee joins the Quovo team, our onboarding process ensures each employee is assigned access to Quovo systems in accordance with their position level and needs. This process includes a thorough criminal and credit background check, security awareness training, and corporate policy acceptance. Permissions to systems are assigned based on the role and job requirements of the individual and are reviewed regularly. All access levels are reviewed and appropriately updated or disabled whenever an employee changes roles or leaves Quovo.
Network & Data
Quovo’s systems are hosted within an AWS Virtual Private Cloud (VPC). Individual server instances are generated from stable images (AMIs), which are periodically refreshed. Servers utilize both Linux and Windows operating systems, and functionality is split between instances for both load balancing/failover purposes and for logical separation of application duties.
Access to AWS, along with all other Quovo systems, is governed by Quovo’s Information Security Policies. Access to Quovo’s underlying AWS environment is managed via AWS Identity and Access Management (IAM). The root account is strictly used for functions that mandate use of the root account, and all other administrative actions are performed under Quovo administrators’ unique accounts. User permission to specific functions within AWS are provisioned as needed via IAM Policies.
All AWS and server logs are stored and reviewed along with other security events daily. General log behavior is reviewed on a quarterly basis (and more frequently if anomalous behavior is detected). All AWS logs are created and maintained in AWS; system logs are stored on a central log management server. Logs are retained for a minimum of one year and are archived to prevent modification of forensic data.
All servers in Quovo’s environment are monitored using host- and network-based Intrusion Detection Systems. Alert signatures are updated automatically on a daily basis. Event logs are reviewed and a trend analysis is performed daily. Additional application level monitoring and alerting is used to ensure products and services continue to operate effectively.
Host-based firewalls are used in conjunction with AWS Security Groups. The AWS Security Groups provide perimeter protection and filtering between network segments and other Security Groups. Host-based firewalls provide more granular control between hosts and protocols. In both cases, whitelisting is used to authorize access to host services and all non-whitelisted access is denied. Network access to remote console services such as SSH is strictly monitored and restricted.
EXTERNAL AUDIT REPORTS
In order to provide assurance that Quovo’s security meets or exceeds industry and regulatory demands, Quovo submits to annual external security assessments. These assessments verify and test the existing security controls in use throughout Quovo’s network and products to ensure sensitive data is properly protected and processing performs reliably and consistently. Recently, Quovo has completed the SSAE 16 Type 2 and SOC 2 Type 2 audits and received satisfactory opinion letters upon review of existing controls and policies.
Quovo utilizes a third party service to conduct annual penetration testing against its public-facing systems. These tests are performed by qualified assessors, and focus on different usage and attacker scenarios to address the most common attack threats against the platform. Findings or issues identified through this testing are prioritized and addressed based on their criticality.