Here at Birch, security is our primary concern. We gather only the information we need to provide you a world class financial management product and safeguard that information as securely as possible. That security comes in various layers.
Between You And Birch
When you connect to Birch from your Browser or Mobile Device, all information (including data you send like usernames/passwords, as well as financial data we send to you) is encrypted over TLS (Transport Layer Security). This encryption renews every time you log onto Birch and gets verified by our CA (Certificate Authority) GoDaddy Inc whenever you login, confirming that you are talking to the real Birch. We keep this system up to today's security standards, and you can find more specific information from your browser by clicking the lock icon in Safari or Chrome, as well as developer information in other browsers to see exactly what technologies are at work protecting your data.
While entering Birch's network, your data passes through a swath of security tests to confirm its legitimacy and integrity. If we or any of our security partners detect tampering or any anomalies, we will terminate the session and security keys, forcing your browser to reconnect, re-secure itself with TLS, and you to re-authenticate with Birch.
Birch maintains multiple zones of security to ensure fast and easy access to appropriate data and secure protection to confidential data. When you interact with Birch, you send and receive data with our outer layer of servers, which contain our websites themselves and provide you with the webpages and tools you use within all of Birch's offerings. These servers also act as a gatekeeper between you and our internal network containing your data. They handle authentication (when you login to birch), monitoring (make sure you are the only one accessing the service over your connection), and the processing of your data (generating the webpages and tools that you use from Birch). These servers are rotated and updated regularly to ensure security.
When requesting a page or service from Birch which contains confidential, financial, or personal data, these servers then interact with our internal zone. This zone does not have a connection to the Internet and only specific servers can request data. Once authenticated with the internal zone, the server fetching your information only has access to the data pertaining to you, the logged in user, and often in read or write only format. All our databases are encrypted both internally and while the data is in transit. Just like between you and Birch, our servers and databases all encrypt data over TLS to secure data on the move. Our database keys are managed outside the database and access to both is required to retrieve any data. All backups, performance replicas, and secondary data stores are encrypted in the same manner.
Because security isn't just against outsiders, Birch Employees also conform to an access based approach to data, with limited or anonymized access only when necessary. Each and every access to internal data is logged and requires our employees to be on-premises or connected to the Birch network over a VPN (Virtual Private Network). We use your data and its metadata to provide you support (troubleshooting a connection to your bank), gather anonymous data to improve the quality of our service (retrieve the names of credit cards to determine the next cards to research and add to Birch), and test new features. The organization and access protocols used by Birch mirror the methods used by major corporations and are constantly evolving to maintain current security standards.
Lastly, all Birch data is secured physically within datacenters maintained by AWS (Amazon Web Services). We distribute our data between data centers and regions for both security and efficiency. Currently all data is maintained within the country of origin, as of this writing all data is maintained within the United States of America.
Between Birch and Partners
Birch works with many third parties to provide you services. While many connections are dependent on the provider, we take security into account when choosing and connecting with these services.
To Connect To Your Banks
Birch uses Plaid Inc. to connect to your financial institutions and retrieve your account and transactional data. We connect to Plaid over the same TLS connection we use within our networks and between you and Birch. Plaid maintains their own connections to financial institutions and you can read about their security on their website. When you connect your bank account with Birch, we immediately create a connection with Plaid to establish a link with your bank. Once approved by your bank and Plaid, sometimes requiring MFA (multi-factor authentication, like a security question or text message code), Birch receives a secure token to use instead of your username and password when communicating with Plaid and your bank. Therefore, Birch never stores or transmits your username or password, just the token provided by Plaid and our credentials and white-listed address. This token allows us to query Plaid and your bank to receive updated transactional and account data in a read only format. Plaid also communicates with Birch to update us on new transactions, deleted transactions, and account errors. All Plaid -> Birch communication occurs with the same TLS encryption used throughout Birch and is whitelisted to Plaid's servers to only allow access from Plaid.
To Send You Emails
Birch uses MailChimp to send you both grouped and transactional email which may contain personal financial information. Our connection with MailChimp and its services is over a secure TLS connection and uses server level access tokens to allow only servers authorized to send email access. All email (both content and metadata) is audited to ensure only official email is sent.
Birch works with other partners directly through automated and non-automated means. Any information sent to our partners is secured within transit, as well as with legal policies. Any data shared with partners is anonymized and no personal details are shared.
If you have any questions regarding our security or operation, please contact us at firstname.lastname@example.org.