Security at Routable

We’ve built Routable according to the highest security standards and offer industry-leading administration and access management tools.

Security & Privacy

There’s nothing more important to us than providing a secure and protected product. Routable meets ISO 27005 and SOC2 Type I standards and we conduct comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.

Product Security & Reliability

Routable offers many security features, including Single Sign-On, role-based access controls (RBAC), and access management across multiple workspaces to ensure best-in-class protection.

Single Sign On 

Routable supports Google Apps SSO Single Sign-On based on OAuth2.0. 

Role-Based Access Controls

Access to data within the Routable application is governed by role-based access controls (RBAC). Routable has various permission levels for users (Admin, IT Admin, Creator, Approver, Vendor/Customer Manager, Collaborator, Developer).

Alerts for suspicious login activity

As an additional measure of security, Routable notifies members with an email who don’t follow their usual sign-in patterns and display unusual login activity. This could include things like signing in from an unusual IP address, or a new device.

Password and Credential Storage

Routable enforces a password complexity standard, and stores credentials using industry recognized encryption methods.

Cloud Security

Routable’s security and availability architecture is built on SOC 2 Type 2, CIS hardening benchmarks, and other best practice data protection controls.

Physical Security & Data Hosting

  • Routable uses AWS data centers in the United States. The services and data are hosted in Amazon Web Services (AWS) facilities in the USA.

  • AWS data centers offer leading edge Failover and Disaster Recovery, Virtual Private Cloud, Back Ups and Monitoring.

Dedicated Security Team

Routable’s Security Team is on call 24/7 to respond to security alerts and events.

Intrusion Detection and Prevention

Routable has designed multiple layers of security monitoring to detect anomalous behavior. When incidents and security events exceed predetermined thresholds, our 24/7 on-duty security team acts upon it.

We also conduct annual penetration tests, perform regular vulnerability scanning, and have a detailed security incident response plan. 

Permissions and Authentication

Access to customer data is limited to authorized privileged employees who require it for their job responsibilities.

Data In Transit

Routable forces HTTPS for all services, using Transport Layer Security (TLS), we encrypt sensitive data that is moving between our platform, our partners, financial institutions, and your application. All client communication with the Routable API requires API key authentication and utilizes cryptographically hashed headers and timestamps to verify authenticity.

Routable utilizes 256-bit AES standard encryption, which is also employed by international financial institutions and the U.S. government. 

Data at Rest

All sensitive data is encrypted in flight and at rest. We prohibit any connection to Routable unless encryption (SSL/TLS) is in place and configured properly. Using sophisticated security controls, we protect data on our servers and in our databases.

Application Security

Routable practices extensive processes and controls to ensure application security. All Routable engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.

Secure Code Development (SDLC)

Routable engineering adheres to industry-standard secure coding practices, such as those recommended by OWASP.

Framework Security Controls

Routable leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP top security risks, and utilizes scanning tools to improve the overall security of our dependencies .

Quality Assurance

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments

Testing and staging environments are logically separated from the production environment. No service data is used in our development or test environments.

Bug Bounty program / Routable Responsible Disclosure Policy

If you believe you've discovered a potential vulnerability, please let us know by emailing us at We will acknowledge your email within 24 hours.

  • Please provide us with as much information as you can about the vulnerability, so that we can validate and potentially reproduce it. Ideally, please send us the location and potential impact of the vulnerability.

  • Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within 7 days of disclosure.

  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Routable service. Please only interact with accounts you own or for which you have explicit, documented permission from the account holder.

  • We understand the hard work that goes into security research. We'll show our appreciation in the best way we can, based on the effort needed, criticality of the issue, and the responsible disclosure of the potential vulnerability.

Exclusions: While researching, we'd like you to refrain from:

  • Distributed Denial of Service (DDoS)

  • Spamming

  • Social engineering or phishing of Routable employees or contractors

  • Any attacks against Routable's physical property or data centers

Test types that are excluded from this scope:

  • 3rd party providers and services

  • UI & UX bugs and spelling mistakes

  • If you'd like to encrypt the information you send to us, please download our PGP key.

Thank you for helping to keep Routable and our customers safe!

Employee Security

At Routable we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple administrative controls.

New Hire & Annual Security Training

Every Routable employee receives general security awareness training during onboarding, and annually, while technical and engineering employees receive regular training on secure development practices.

Phishing Specific Training

Risk based training campaigns for employees based on scores from initial, annual, or quarterly trainings.

Information Security Policies and Procedures

Every employee acknowledges our annual reviewed information security related policies.

Employee Endpoint Protection and Anti-virus

Every employee device is equipped with device management software, antivirus protection, and endpoint detection and response capabilities.

Enforced Standards for Employee Device Configuration 

Employee devices are centrally managed, configured, and monitored for deviations from the approved configuration settings. 


Routable has built its Information Security Management System on top of industry recommended controls to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal and state regulations, as well as industry standards.

SOC 1 & SOC 2 Type 2

Routable is SOC 1 & SOC 2 Type II certified. If you are interested in receiving the report please contact us or visit

All Routable funding partners are AICPA SOC2 certified and compliant. Our data storage and network architecture was configured to satisfy the requirements of the most security-sensitive organizations. Learn more about SOC2 complianceDwolla security documentationPlaid security documentation.

Security and Compliance Status Dashboard

Security compliance reports, questionnaires, penetration tests reports, and facts about Routable’s security program can be requested through our portal:

CSA Star Registry

Routable is designated Level 1: Self-Assessment based on Cloud Controls Matrix (CCM) or Common Assessment Initiative Questionnaire (CAIQ)

Privacy & Data Protection

Privacy Policies

Legal Resources

For information on Routable’s legal and privacy terms, please visit Routable Terms of Service