Skip to content
Introduction
- We at Decision Fish LLC take security extremely seriously. We have made a significant investment in security precautions for Decision Fish at app.decisionfish.com (“DF”). This includes addressing relevant web application security risks, including the 2017 OWASP Top 10, the Identity Ecosystem Steering Group privacy and security requirements for protecting personally identifiable data, and other security precautions.
Security Audits
- We have hired an outside security consultant to: 1. Identify application risks including how data flows to third parties and how data is stored; 2. make recommendations on strategies to improve security currently and to implement best practices for future development; and 3. perform a risk assessment to identify risk to the application and its data. We completed the initial analysis and implemented all its recommendations in February 2018.
- We intend to complete similar assessments annually or after major code releases. We also incorporate a security model around our development and deployment process including performing static code analysis (by computer) and code review (by humans) prior to every release.
Platform Security
- We begin with a robust approach to the platforms and systems on which app.decisionfish.com is built. Our hosting environment is Amazon Web Services (“AWS”), an industry leader in secure cloud services. We also utilize multi-factor (more than one category of credentials is required to login) and audited AWS login procedures. You can read the AWS security policy: https://aws.amazon.com/security/?hp=tile.
Application Security
- We developed our application using the Ruby on Rails framework, which has many built-in features to help ensure application security.
- We adhere to application security best practices and continuously test for vulnerabilities and any defects in our code base including the 2017 OWASP Top 10, which enumerates the top ten most common vulnerabilities in application security.
Data Security
- We have made significant investments to help protect the privacy and security of your personally identifiable information and financial data. Your data is secured with industry-standard 128-bit encryption as it travels to and from our servers with SSL based on key pairs. This reduces the risk of brute-force attack.
- Decision Fish Employees normally don’t access your data. However, a small number of technical staff have access to your personal or account data, as needed. An employee will only do so when you ask us to, for example to address a login problem, or when required by law. We document when we do this and why. All access to personal and account data is logged and audited. Please see our Privacy Policy to learn about how we may share data in aggregate and with personally identifiable information removed.
- In order to login to Decision Fish, you must use a registered email and mobile telephone number (two-factors). If a you fail to provide the correct code, we require increasingly long delays before another attempt can be made. We do not use passwords so there is no risk of someone stealing them. No one from Decision Fish will ever contact you to get access to your email or cellphone. We will always use https://app.decisionfish.com as the web address for you to use when logging in.
- We trust MX and their industry-leading security precautions to import data from your financial institutions. We do not ever access or store your banking credentials. Rather, when you connect to a financial institution, you are logging in using MX’s servers, not our servers. We use the Atrium API from MX to access financial account information. MX is SOC2 Type II compliant, PCI DSS compliant, and continually re-encrypts data to keep it safe. You can find their security policies and practices on their website at: https://www.mx.com/resources/2015/7/21/security-at-mx-how-we-protect-your-data
- Additionally, all actions on DF involving your financial institution accounts are non-transactional: Your money cannot be moved, withdrawn or accessed on our system.
- We use cookies to store information about the current session. These cookies expire after about 30 minutes of inactivity. We use Google Analytics cookies to track activity, define browser version, device, etc. We trust Google Cloud security protocols to protect this information. Google Analytics stores session data which we study to improve the user experience of our app. Since this may include potentially personally identifiable data such as your IP address, we are evaluating Google’s suggestions for minimizing risk of exposure including the forthcoming GDPR requirements of the European Commission These data are accessible by a very small number of administrative staff and is never shared, except as described in our Privacy Policy. Read Google Analytics security and privacy policies: https://support.google.com/analytics/answer/6004245. Read about Google’s suggestions for GDPR compliance: https://www.google.com/cloud/security/gdpr/.
- Your data is stored by Decision Fish as long as you maintain an account with us. If you choose to delete your account, we will irreversibly destroy all of your data that are on our servers. If your subscription expires, we will destroy your data after 12 months.
Changes to this Policy
- We’ll let you know if we make changes to this Security Policy by any of the notification methods set forth in our Terms of Use, under Changes to this Policy.