Security

Built to protect what matters.

PiggyBack handles sensitive financial information. Our security program is designed from the ground up for that responsibility, aligned to the AICPA Trust Services Criteria, the FTC Safeguards Rule, the Massachusetts Data Security Regulation, and the Gramm-Leach-Bliley Act.

Zero

Bank credentials we store

None

Data sold or rented

Never

Advertising on Plaid data

How we protect your data

Encryption everywhere

All data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted with AES-256 using keys managed by Google Cloud. This applies to your account, your avoided-spend logs, and any bank data you choose to connect.

Authentication that holds up

PiggyBack never sees or stores your password. Authentication is handled by Firebase Authentication, Google’s identity platform — passwords (where you use one) are cryptographically hashed and stored on Google Cloud infrastructure, never in plain text. You can also sign in with Google instead of using a password at all. Multi-factor authentication is available to every user. For users who connect a bank account, it will be required under our phased MFA rollout. Internally, every privileged system requires MFA, with hardware keys preferred where supported.

Least-privilege access

No one on our team has standing access to user data. Access is granted by role, on a need-to-know basis, with documented business justification, and is reviewed on a recurring cadence. Default posture is deny; permissions are added only when needed and removed promptly when no longer required.

Server-side enforcement

All writes to user data flow through our authenticated server-side APIs — never directly from the browser. Database security rules enforce a default-deny posture on every collection. This architecture is what gives us the audit trail and authorization guarantees that fintech requires.

Monitoring and incident response

Authentication, authorization, and administrative events are logged and monitored for anomalies. We maintain a written Incident Response Plan with defined triage and containment timelines, and we comply with all applicable breach notification laws — including Massachusetts M.G.L. c. 93H and the FTC Safeguards Rule notification requirement at 16 C.F.R. § 314.4(j).

How bank connections work

When you connect a bank account, the connection is handled by Plaid — the same industry-standard service used by Venmo, Robinhood, and most major fintech apps. PiggyBack never sees your bank password. Plaid authenticates with your bank on your behalf and shares only the information you authorize.

You can unlink any account at any time. We immediately revoke the connection on Plaid’s side.
We do not sell, rent, or license bank data to anyone.
We do not use bank data for advertising targeting, ad serving, or any monetization outside the Service.
You can manage every app connected to your bank via Plaid at my.plaid.com.

What we don’t collect

The most secure data is the data we never touch. We do not collect:

Bank login credentials (those stay with Plaid and your bank)

Full payment card numbers (Stripe handles those; we see only the last four digits)

Social Security numbers from end users

Precise geolocation (GPS) data

Biometric identifiers

Information from anyone under 13 knowingly

Our infrastructure partners

We work only with vendors who can meet our security bar. Our critical infrastructure partners maintain SOC 2 Type II attestations or equivalent assurance, and are subject to contractual obligations that protect your information.

Plaid

Bank connectivity

Google Cloud

Authentication, database, and backend (via Firebase)

Vercel

Web application hosting

Stripe

Subscription billing

Standards we align to

AICPA Trust Services Criteria (SOC 2)

Our internal controls are designed against the SOC 2 framework, with formal audit on the roadmap.

FTC Safeguards Rule

As a financial institution under GLBA, we maintain a written Information Security Program meeting the FTC Safeguards Rule, including incident notification at 16 C.F.R. § 314.4(j).

Massachusetts 201 CMR 17.00

Our Written Information Security Program meets the Massachusetts Data Security Regulation. Affected residents are notified per M.G.L. c. 93H.

Gramm-Leach-Bliley Act

GLBA governs how we may use and disclose nonpublic personal information. Where state privacy laws are stricter, we apply the stricter standard.

Responsible disclosure

If you believe you’ve found a security vulnerability in PiggyBack, we want to hear from you. Please email security@piggybackfinance.com with details. We commit to:

Acknowledging your report promptly
Investigating and providing status updates
Working with you in good faith on coordinated disclosure
Not pursuing legal action against researchers acting in good faith and within the scope of these guidelines

Please do not access or modify other users’ data, disrupt the Service, or perform testing that could harm reliability for others.

For more on how we handle personal information, see our Privacy Policy. For your rights and our obligations as a service provider, see our Terms of Service.