Safe as houses.
“How do they do it?” you ask. “What is their secret sauce?” we hear you say. Read on.
Our secure data partnership with a global leader.
At Tic:Toc we like our tech. One of the key pieces of technology our secure bot uses in your online application is a data aggregation service called Envestnet Yodlee (Yodlee). We choose Yodlee because they're the best in the industry.
Yodlee is a US-based company founded in 1999 that provides digital financial solutions for over 20 million paid users and over 850 financial institutions and financial technology innovators; including Xero, Billguard, ANZ Money Manager and Personal Capital. 12 of the 20 largest US banks trust Yodlee for their services.
You can find Yodlee's general security statement here. Key US banking regulators perform examinations into Yodlee's practices, including the Office of the Comptroller of the Currency and Federal Financial Institutions Council.
Your banking login details are used by Yodlee (in Australia) for one sole purpose: to fetch read-only copies of your transaction history, direct from your banking site. As soon as your details have been entered and validated in the approval stage of your home loan application, they are encrypted, separated and securely stored. This happens in a matter of minutes and means they cannot be accessed by anyone (including Tic:Toc and Yodlee employees). After a period of time (50 days) they are completely obliterated, and never to be seen again.
When you input your credentials, Yodlee never actually see them. As soon as you hit send, your details get encrypted and separated from that point.
Yodlee stores you as a user with a Yodlee ID. You have a password and a credential that is hashed, exists somewhere else and is matched to your user ID; and then your transaction and financial data sit somewhere else, encrypted.
It is not possible for Tic:Toc to transfer, move or do anything else with your bank accounts aside from receive a copy of your transactions for you. We only see the information we need to approve your loan application – the same information you would supply us if you were submitting the documents manually. It’s just much faster this way. Like, Usain Bolt fast.
We've chosen Yodlee because we trust their live transaction data aggregation is the safest and most reliable method of providing automated transaction imports to Tic:Toc.
Our bank level security and encryption.
We have a large amount of network segmentation in our hosting environment. This means we split our networks into subnetworks and network segments, so our network structure isn’t visible from the outside. Almost like concealing your pack of Maltesers by hiding each delicious chocolate sphere in a separate spot in your bedroom.
In-Flight data security
In a security nutshell, our encryption of information between you and Tic:Toc is provided by industry standard Transport Layer Security (TLS) 1.2. This is the current security encryption standard used by most banks in Australia.
At-Rest data security
All environmental servers are encrypted utilising AES-256 at the hardware layer.
All key actions on the application are centrally logged for auditing, monitoring and improving our services.
Secure code development
We follow industry best practices and standards such as OWASP and SANS. We have separate environments and databases for different stages of the application development and we don’t use production data in our non-production environments (duh).
Dedicated security team
We have a dedicated security operations centre, which is responsible for securing the application, identifying vulnerabilities and responding to security events.
We have a suite of policies with supporting procedures, which have been aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement.
We use several sources, including the NIST Cyber Security Framework as well as the Australian Cyber Security Centre, to help us to measure our ability to identify, protect, detect, respond and recover from security events.
Awareness and training
To be allowed entry into the inner circle, all staff (Tictockers) and contractors go through a vetting process where they are subject to background checks and confidentiality agreements. Where applicable as part of their role, they will also undertake training on security awareness and related topics.
You and you alone. You have a unique username and secure password (governed by a policy) that is only known to you (please don’t post it on Twitter).
Lots, and all the time. We do regular penetration and vulnerability testing, performed by independent accredited Security professionals, just to keep us on our toes. We also have procedures as well as many compliance obligations, which are continually tested and updated, to deliver quality and consistency to our IT security.
One of the best things about being 100% online, is that we don’t have your bank statements and direct debit request forms floating around an office. Where assistants named Beryl sometimes leave papers at the edge of her desk, which get brushed onto the floor when Broker Darren (who having had a particularly large lunch) squeezes past in haste to get his footy tips in by 4pm. Papers get muddled, Beryl gets yelled at, and so on and so forth.
But apart from having our documents stored securely in our data centres, we have other office security measures too. Such as:
- Secure hosting (Tier 3 Data Centre with ISO 27001 and 9001 Accredited (Highlights)). If that made any sense to you at all, we applaud you: feel free to peruse work with Tic:Toc;
- Giant locks. Actually, they’re pretty standard sized, but we do need an access pass to get through the front door and up the elevator;
- Ear splitting alarms; and
- Access Control, so only the important people have access to the important places
I have some more questions.