Data Center
Data Security

Income Lab is SOC 2 compliant. SOC 2 is an auditing procedure that ensures service providers securely manage data to protect the interests of the organization and the privacy of its clients. Income Lab users or those conducting due diligence may request a copy of our SOC 2 (Type II) report by contacting their account manager or [email protected].


Security is our priority
We regularly examine information security best practices and review our security policies
and infrastructure to ensure we manage and minimize security risks.


All user access is password protected. Multiple consecutive incorrect login attempts will trigger the locking of an account and require password reset. This helps protect user accounts from certain hacking attempts. All access to Income Lab application infrastructure is protected with two-factor authentication (2FA).

Regular Security

Income Lab application infrastructure is scanned and monitored regularly by independent security consultants to help ensure security best practices are followed.

Cannot Effect
Financial Transactions

Income Lab software is used for creating, monitoring, and managing financial plans. The software cannot be used to effect financial transactions, open or close accounts, or in any way move money into, out of, or between financial accounts. Any account data viewed within Income Lab via data integrations that have been established by application users is read-only. Data integrations do not allow anyone to effect changes to or transactions within financial accounts.

Limited Scope
of PII

As part of its risk management strategy, Income Lab does not ask for or store certain sensitive personally identifiable information (PII), such as Social Security numbers, full birthdates, account numbers, or addresses.

Limited Access
to Customer Data

Income Lab staff does not access or interact with customer data as part of normal operations. There may be cases where Income Lab interacts with customer data at the request of the customer for support purposes or where required by law. Income Lab may also inspect customer data to debug and troubleshoot platform issues.


Income Lab offers organizations and individual users the option to greatly enhance the security of their accounts by requiring multi-factor authentication (MFA) for a successful login. MFA is a core component of a strong security stance and greatly decreases the likelihood of accounts being compromised by malicious actors.

Data Center Security

Income Lab’s utilizes Amazon Web Service (AWS) cloud technology. This means that physical infrastructure is hosted and managed within Amazon’s secure data centers. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

AWS data centers are housed in nondescript facilities and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. AWS facilities enjoy top-tier fire detection and suppression systems, redundant power systems, and climate control.

  • ISO 27001, ISO 27017, ISO 27018
  • SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3
  • PCI DSS Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)
  • SEC Rule 17a-4(f)

Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. Authorized staff must pass two-factor authentication (2FA) no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.


We use PCI-compliant payment processor Stripe for encrypting and processing credit card payments. Income Lab’s infrastructure provider is PCI Level 1 compliant. Income Lab does not store or keep any credit card information on its servers

Data Security

Data in Transit

All data transmission between your computer and our servers is encrypted, using industry-standard HTTPS protocol. All insecure connections are redirected to HTTPS. Our servers take advantage of Perfect Forward Secrecy (PFS) to protect data transmission for modern web browsers. With forward secrecy, all past communication confidentiality is maintained even when a long-term secret key is compromised.

Data at Rest

All stored customer information is encrypted using AES-256.

Integration Credentials
are not Stored

Income Lab users may establish links to account data via custodians or portfolio management systems, or via our account aggregation system.

We partner with Envestnet | Yodlee to provide client-credentialed account aggregation. Credentials entered when using account aggregation are managed by Envestnet | Yodlee. Income Lab does not store these credentials. We communicate with Yodlee via an encrypted data link. For additional information see Yodlee’s commitment to its clients and their customers.

Access to data through integrations you have set up between Income Lab and other data providers is managed through OAuth tokens or other technology, not through saved credentials. Authorization tokens can be revoked by the data provider for security purposes.

Vulnerability Management

Income Lab takes security very seriously and investigates all reported vulnerabilities. If you would like to report a vulnerability or have a security concern regarding Income Lab services, please email [email protected]. Please provide full details of the suspected vulnerability so the Income Lab security team may validate and reproduce the issue.

Start now with a Demo

The first truly dynamic retirement
planning technology.