Security

We're committed to securing your data

  • 2048-bit TLS

    2048-bit SSL/TLS

    All services require strong, modern TLS ciphers and verify certificates with third-parties on each connection.

  • End-to-end Encryption

    End-to-End Encryption

    All sensitive data (such as credentials to third parties) at Greenback is encrypted with AES-256 and not accessible by public facing services.

  • A+ Qualys Rating

    Bank-Level Security

    We strive to meet and exceed the best security practices using layers of protection and bank-level standards.

Experienced Team

Security is one of the biggest considerations in everything we do. At Greenback, security begins with the people engineering our product. Our executive team has years of experience founding and managing companies across the payment and telecommunications industries — which have strict security and compliance requirements.

COMBINED WITH

Security Best Practices

We strive to meet and exceed best security practices with your data. While the phrase bank-level security is widely used across the internet these days, it doesn't mean much without a description of what a company is doing under-the-hood. We will be transparent and upfront about how we secure your data. Review our Privacy Policy to learn more about what we collect from you and what we do with it.

  • HTTPS and HSTS for secure connections

    HTTPS and HSTS for secure connections

    Greenback forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard. When interacting with third-party providers such as Intuit, QuickBooks, Amazon, Gmail, etc. we connect over TLS and verify TLS certificates on each connection.

    We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Greenback only over HTTPS. Greenback maintains the highest level TLS rating per Qualys.

  • Encryption of sensitive data

    Encryption of sensitive data

    All sensitive data (such as credentials to third parties) at Greenback is encrypted on disk with AES-256. Master decryption keys are not permanently stored on any machine and must be manually supplied if we need to restart a handful of critical internal services. None of Greenback’s public-facing servers and daemons are able to obtain plaintext sensitive data. Greenback’s infrastructure for storing, decrypting, and transmitting sensitive data runs in separate hosting infrastructure, and doesn’t share any credentials with Greenback’s primary services (API, website, etc.).

    None of Greenback’s public-facing servers and daemons are able to obtain plaintext sensitive data. Greenback’s infrastructure for storing, decrypting, and transmitting sensitive data runs in separate hosting infrastructure, and doesn’t share any credentials with Greenback’s primary services (API, website, etc.).

  • Vulnerability disclosure and reward program

    Vulnerability disclosure and reward program

    Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Greenback’s security, please get in touch with us. We will respond as quickly as possible to your report.

    We request that you not publicly disclose the issue until it has been addressed by Greenback. We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a reward program for responsibly disclosed vulnerabilities.