We take your security seriously.
Wealth Meta staff members use all the Wealth Meta apps for their own personal finances, so we collectively have "skin in the game". Our business model is focused on you as a customer, not you as a product.
About your password:
Your password is the most critical security measure protecting your account. Our recommendation is that you select a strong password and change it at least once a year.
In addition to setting a strong password we recommend enabling two-factor authentication under your profile. When that is enabled you will be texted a one time code to your phone each time you sign in.
The email account you use for your Wealth Meta account allows password resets. Again, our recommendation is that your email account is setup with a strong password (different from your Wealth Meta account), and you change it at least once a year.
- We require your password to meet the following criteria:
- At least 8 characters long.
- Must not be on the list of common guessable passwords (e.g. 12345678).
- It may not match your username or email.
- On our side, your password is saved in a one-way encrypted format. We do not know your actual password. All we know is its encrypted form. It would be very time consuming and expensive if not impossible for anybody, including hackers and nation states, to decipher your actual password.
- We email you whenever someone logs into your account.
- When you reset your password, all other devices that were signed into your account are automatically logged out.
A Wealth Meta staff person will never ask you for your password!
All data is encrypted in flight and at rest:
Our systems encrypt all traffic using SSL with a 2048 bit key. A key size of 2048 is approved by the NIST through 2030, and we will upgrade to the next key size a few years before then.
When data is saved on our systems it is encrypted using AES encryption the instant it hits the disk. Data backups are encrypted using a 2048 bit RSA key. Even if someone physically broke in and stole our hard drives or backups they would not be able to access the data.
Access to user data is restricted to authorized staff members and logged:
We do not look at your personal data unless it is part of a support request. If a staff member with sufficient clearance is looking at your personal data it would be part of a support request initiated by you. We log access to customer data, including the start time, stop time and the reason. These logs are regularly checked by our leadership team.
How long we keep data:
When you delete a record in the system, it is a soft delete at first (which makes it hidden). Then 21 days later it is physically purged. This allows you to request an ‘un-delete’ just in case you made a mistake.
Inactive paid accounts are purged after 3 years (from the date of last activity or the end of the subscription, whichever is later).
Inactive trial accounts are purged after 2 years of inactivity.
If you wish to have your account purged ahead of that timeline please contact us.
Additional security practices:
- Our systems have built in prevention of Cross-Site Request Forgery (CSRF) attacks and Cross Site Scripting (XSS) attacks.
- Our systems are protected by a firewall with automatic blacklisting of suspicious activity.
- We routinely patch and update our systems.
- All changes to our system go through a quality assurance cycle before going live.
Our hosting provider:
We use Amazon Web Services for hosting, which meets or exceeds dozens of industry standards for security and data protection. These include PCI Level1, ISO/IEC 27001, HIPPA, Sarbanes-Oxley (SOX), FedRAMP Moderate...
Additional Precautions You Can Take:
You can take the following additional precautions in order to protect your online identity and account at Wealth Meta. Here are our recommendations:
- Pick an anonymous 'handle' as your username to identify yourself (for example the name of your pet, favorite food, or something amusing but not offensive).
- The same goes for your profile picture (don't upload your passport photo or anything sensitive that you don't want associated with your data, also keep it clean).
- Use an email address dedicated to your financial life only, not the same email you use for social media.
- Set a strong password you don't use anywhere else, and lock it in a password manager program that is backed up.
- Enable two-factor authentication under your profile. That way signing in takes both your password (something you know) AND your phone (something you have). For more see our post explaining how 2FA works.
- For more ideas on protecting yourself online, see our article Lock Your Digital Windows and Doors: Basics of Digital Security.
Your username, profile picture, email and password can all be changed under your profile at any time.