Income Laboratory, Inc. (“Income Lab”) holds the security of its applications and the protection of user data as top priorities. We regularly examine information security best practices and review our security policies and infrastructure to ensure we manage and minimize security risks.
to Customer Data
DATA CENTER SECURITY
Income Lab’s utilizes Amazon Web Service (AWS) cloud technology. This means that physical infrastructure is hosted and managed within Amazon’s secure data centers. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
AWS data centers are housed in nondescript facilities and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. AWS facilities enjoy top-tier fire detection and suppression systems, redundant power systems, and climate control.
- ISO 27001, ISO 27017, ISO 27018
- SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3
- PCI DSS Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
- SEC Rule 17a-4(f)
Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. Authorized staff must pass two-factor authentication (2FA) no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
We use PCI-compliant payment processor Stripe for encrypting and processing credit card payments. Income Lab’s infrastructure provider is PCI Level 1 compliant. Income Lab does not store or keep any credit card information on its servers.
Data in Transit
All data transmission between your computer and our servers is encrypted, using industry-standard HTTPS protocol. All insecure connections are redirected to HTTPS. Our servers take advantage of Perfect Forward Secrecy (PFS) to protect data transmission for modern web browsers. With forward secrecy, all past communication confidentiality is maintained even when a long-term secret key is compromised.
Data at Rest
All stored customer information is encrypted using AES-256.
are not Stored
Income Lab users may establish links to account data via custodians or portfolio management systems, or via our account aggregation system.
We partner with Envestnet | Yodlee to provide client-credentialed account aggregation. Credentials entered when using account aggregation are managed by Envestnet | Yodlee. Income Lab does not store these credentials. We communicate with Yodlee via an encrypted data link. For additional information see Yodlee’s commitment to its clients and their customers.
Access to data through integrations you have set up between Income Lab and other data providers is managed through OAuth tokens or other technology, not through saved credentials. Authorization tokens can be revoked by the data provider for security purposes.
Income Lab takes security very seriously and investigates all reported vulnerabilities. If you would like to report a vulnerability or have a security concern regarding Income Lab services, please email [email protected]. Please provide full details of the suspected vulnerability so the Income Lab security team may validate and reproduce the issue.
START NOW WITH A DEMO
The first truly dynamic retirement