Routable utilizes 256-bit AES standard encryption, which is also employed by international financial institutions and the U.S. government. All Routable funding partners are AICPA SOC2 certified and compliant. Our data storage and network architecture was configured to satisfy the requirements of the most security-sensitive organizations. Learn more about SOC2 compliance. Dwolla security documentation. Plaid security documentation.
Routable forces HTTPS for all services, using Transport Layer Security (TLS), we encrypt sensitive data that is moving between our platform, our partners, financial institutions, and your application. All client communication with the Routable API requires API key authentication and utilizes cryptographically hashed headers and timestamps to verify authenticity.
All sensitive data is encrypted in flight and at rest. We prohibit any connection to Routable unless encryption (SSL/TLS) is in place and configured properly. Using sophisticated security controls, we protect data on our servers and in our databases.
Routable utilizes some of the best-practice standards released by the NSA to secure our customers' financial data.
Routable engineering adheres to industry-standard secure coding practices, such as those recommended by OWASP.
If you believe you've discovered a potential vulnerability, please let us know by emailing us at firstname.lastname@example.org. We will acknowledge your email within 24 hours.
Please provide us with as much information as you can about the vulnerability, so that we can validate and potentially reproduce it. Ideally, please send us the location and potential impact of the vulnerability.
Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within 7 days of disclosure.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Routable service. Please only interact with accounts you own or for which you have explicit, documented permission from the account holder.
We understand the hard work that goes into security research. We'll show our appreciation in the best way we can, based on the effort needed, criticality of the issue, and the responsible disclosure of the potential vulnerability.
Exclusions:While researching, we'd like you to refrain from:
Distributed Denial of Service (DDoS)
Social engineering or phishing of Routable employees or contractors
Any attacks against Routable's physical property or data centers
Test types that are excluded from this scope:
3rd party providers and services
UI & UX bugs and spelling mistakes
If you'd like to encrypt the information you send to us, please download our PGP key.
Thank you for helping to keep Routable and our customers safe!