Security Guidelines

Last modified: October 09, 2019

Routable utilizes 256-bit AES standard encryption, which is also employed by international financial institutions and the U.S. government. All Routable funding partners are AICPA SOC2 certified and compliant. Our data storage and network architecture was configured to satisfy the requirements of the most security-sensitive organizations. Learn more about SOC2 complianceDwolla security documentationPlaid security documentation.

Data In Transit

Routable forces HTTPS for all services, using Transport Layer Security (TLS), we encrypt sensitive data that is moving between our platform, our partners, financial institutions, and your application. All client communication with the Routable API requires API key authentication and utilizes cryptographically hashed headers and timestamps to verify authenticity.

Data at Rest

All sensitive data is encrypted in flight and at rest. We prohibit any connection to Routable unless encryption (SSL/TLS) is in place and configured properly. Using sophisticated security controls, we protect data on our servers and in our databases.

NSA Suite B Aligned Cryptography

Routable utilizes some of the best-practice standards released by the NSA to secure our customers' financial data.

Coding guidelines

Routable engineering adheres to industry-standard secure coding practices, such as those recommended by OWASP.

Routable Responsible Disclosure Policy

  • If you believe you've discovered a potential vulnerability, please let us know by emailing us at security@routable.com. We will acknowledge your email within 24 hours.

  • Please provide us with as much information as you can about the vulnerability, so that we can validate and potentially reproduce it. Ideally, please send us the location and potential impact of the vulnerability.

  • Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within 7 days of disclosure.

  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Routable service. Please only interact with accounts you own or for which you have explicit, documented permission from the account holder.

  • We understand the hard work that goes into security research. We'll show our appreciation in the best way we can, based on the effort needed, criticality of the issue, and the responsible disclosure of the potential vulnerability.

Exclusions:While researching, we'd like you to refrain from:

  • Distributed Denial of Service (DDoS)

  • Spamming

  • Social engineering or phishing of Routable employees or contractors

  • Any attacks against Routable's physical property or data centers

Test types that are excluded from this scope:

  • 3rd party providers and services

  • UI & UX bugs and spelling mistakes

If you'd like to encrypt the information you send to us, please download our PGP key.

Thank you for helping to keep Routable and our customers safe!