- We at Decision Fish LLC take security extremely seriously. We have made a significant investment in security precautions for Decision Fish at app.decisionfish.com (“DF”). This includes addressing relevant web application security risks, including the 2017 OWASP Top 10, the Identity Ecosystem Steering Group privacy and security requirements for protecting personally identifiable data, and other security precautions.
- We have hired an outside security consultant to: 1. Identify application risks including how data flows to third parties and how data is stored; 2. make recommendations on strategies to improve security currently and to implement best practices for future development; and 3. perform a risk assessment to identify risk to the application and its data. We completed the initial analysis and implemented all its recommendations in February 2018.
- We intend to complete similar assessments annually or after major code releases. We also incorporate a security model around our development and deployment process including performing static code analysis (by computer) and code review (by humans) prior to every release.
- We begin with a robust approach to the platforms and systems on which app.decisionfish.com is built. Our hosting environment is Amazon Web Services (“AWS”), an industry leader in secure cloud services. We also utilize multi-factor (more than one category of credentials is required to login) and audited AWS login procedures. You can read the AWS security policy: https://aws.amazon.com/security/?hp=tile.
- We developed our application using the Ruby on Rails framework, which has many built-in features to help ensure application security.
- We adhere to application security best practices and continuously test for vulnerabilities and any defects in our code base including the 2017 OWASP Top 10, which enumerates the top ten most common vulnerabilities in application security.
- We have made significant investments to help protect the privacy and security of your personally identifiable information and financial data. Your data is secured with industry-standard 128-bit encryption as it travels to and from our servers with SSL based on key pairs. This reduces the risk of brute-force attack.
- In order to login to Decision Fish, you must use a registered email and mobile telephone number (two-factors). If a you fail to provide the correct code, we require increasingly long delays before another attempt can be made. We do not use passwords so there is no risk of someone stealing them. No one from Decision Fish will ever contact you to get access to your email or cellphone. We will always use https://app.decisionfish.com as the web address for you to use when logging in.
- We trust MX and their industry-leading security precautions to import data from your financial institutions. We do not ever access or store your banking credentials. Rather, when you connect to a financial institution, you are logging in using MX’s servers, not our servers. We use the Atrium API from MX to access financial account information. MX is SOC2 Type II compliant, PCI DSS compliant, and continually re-encrypts data to keep it safe. You can find their security policies and practices on their website at: https://www.mx.com/resources/2015/7/21/security-at-mx-how-we-protect-your-data
- Additionally, all actions on DF involving your financial institution accounts are non-transactional: Your money cannot be moved, withdrawn or accessed on our system.
- Your data is stored by Decision Fish as long as you maintain an account with us. If you choose to delete your account, we will irreversibly destroy all of your data that are on our servers. If your subscription expires, we will destroy your data after 12 months.
Changes to this Policy