Safe as houses

At Tic:Toc we like our tech. One of the key pieces of technology we use in your online application is a data aggregation service called Envestnet Yodlee (Yodlee). We choose Yodlee because they're the best in the industry.

Yodlee is a US-based company founded in 1999 that provides digital financial solutions for over 20 million paid users and over 850 financial institutions and financial technology innovators; including Xero, Billguard, ANZ Money Manager and Personal Capital. 12 of the 20 largest US banks trust Yodlee for their services.

You can find Yodlee's general security statement here. Key US banking regulators perform examinations into Yodlee's practices, including the Office of the Comptroller of the Currency and Federal Financial Institutions Council.

Your banking login details are used by Yodlee (in Australia) for one sole purpose: to fetch read-only copies of your transaction history, direct from your banking site. As soon as your details have been entered and validated in the approval stage of your home loan application, they are encrypted, separated and securely stored. This happens in a matter of minutes and means they cannot be accessed by anyone (including Tic:Toc and Yodlee employees). Once your financial validation has been completed they are completely obliterated, never to be seen again.

Yodlee never see your credentials. As soon as you hit send, your details get encrypted and separated.

You're stored as a user with a Yodlee ID. Your ID has a password and a credential matched to it that is hashed and exists somewhere else; and then your transaction and financial data also sit somewhere else separate, and encrypted.

It is not possible for Tic:Toc to transfer, move or do anything else with your bank accounts aside from receiving a read-only copy of your transactions. We only see the information we need to approve your loan application – the same information you would supply us if you were submitting the documents manually. It’s just much faster this way.

We've chosen Yodlee because their live transaction data aggregation is the safest and most reliable method of providing automated transaction imports to Tic:Toc.

Segmentation

We have a large amount of network segmentation in our hosting environment. This means we split our networks into subnetworks and network segments, so our network structure isn’t visible from the outside. Almost like concealing your pack of Maltesers by hiding each delicious chocolate sphere in a separate spot in your bedroom.

In-Flight data security

Our encryption of information between you and Tic:Toc is provided by industry standard Transport Layer Security (TLS) 1.2. This is the current security encryption standard used by most banks in Australia.

At-Rest data security

All environmental servers are encrypted utilising AES-256 at the hardware layer.

Logging

All key actions on the application are centrally logged for auditing, monitoring and improving our services.

Secure code development

We follow industry best practices and standards such as OWASP and SANS. We have separate environments and databases for different stages of the application development and we don’t use production data in our non-production environments (duh).

Dedicated security team

We have a dedicated security operations centre, which is responsible for securing the application, identifying vulnerabilities and responding to security events.

Security policies

We have a suite of policies with supporting procedures, which have been aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement.

We use several sources, including the NIST Cyber Security Framework as well as the Australian Cyber Security Centre, to help us to measure our ability to identify, protect, detect, respond and recover from security events.

Awareness and training

To be allowed entry into the inner circle, all staff (Tictockers) and contractors go through a vetting process where they are subject to background checks and confidentiality agreements. Where applicable as part of their role, they will also undertake training on security awareness and related topics.

You and you alone. You have a unique username and secure password (governed by a policy) that is only known to you.

Lots, and all the time. We do regular penetration and vulnerability testing, performed by independent accredited Security professionals, just to keep us on our toes. We also have procedures as well as many compliance obligations, which are continually tested and updated, to deliver quality and consistency to our IT security.

One of the best things about being 100% online, is we don’t have your bank statements and direct debit request forms floating around an office. Where assistants named Beryl sometimes leave papers at the edge of her desk, which get brushed onto the floor by Broker Darren as he walks by. Papers get muddled, Beryl gets yelled at, and so on and so forth.

Apart from having our documents stored securely in our data centres, we have other office security measures too. Such as:

• secure hosting (Tier 3 Data Centre with ISO 27001 and 9001 Accredited (Highlights)). If that made sense to you, feel free to peruse work with Tic:Toc;
• giant locks. Actually, they’re pretty standard sized, but we do need an access pass to get through the front door and up the elevator;
• CCTV;
• ear splitting alarms; and
• access control, so only the important people have access to the important places.

We’re certified secure!

At Tic:Toc we take your security seriously. So seriously in fact, that we got our whole team to undertake SOC 2 training. What is it? It’s a rigorous auditing procedure that ensures our services securely manage your data, and we’ve passed! Showing we’re legit in protecting your privacy.

This is not just a box we ticked, SOC 2 informs how we manage our customers’ information. The ‘trust service principles’ of security, availability, processing, integrity, confidentiality, and privacy guide how we conduct our business ongoing…it’s like a promise to you that we don’t just care because it’s fashionable…we care because it’s essential.

You can read our privacy policy, which contains very interesting things, such as “what is credit information” and “how do we use your information” and “choc-chip cookies”. Actually, it’s the other type of cookies, which are less delicious, but more important. Apparently.

Check out our privacy policy.

Good for you, we're knowledge hunters too. Please let us know any other concerns or questions that you have via let's talk.