Envestnet | Yodlee Security Office

Security

We adhere to leading financial industry practices for security, privacy, risk, and compliance management.

Financial Data Security

Envestnet | Yodlee adheres to leading financial industry practices for security, privacy, risk, and compliance management. As a technology service provider to leading global financial institutions an innovators Envestnet | Yodlee follows the security and risk management standards required to engage with consumers and their financial data. Yodlee is examined by the US Federal Banking Agencies, per the Bank Service Company Act, for the services provided to U.S. financial institutions. That same Financial Data Platform is leveraged for all Envestnet | Yodlee customers, so they benefit from the full breadth and rigor of Yodlee’s risk management programs. In addition, Yodlee has undergone nearly 200 audits by financial institutions in the most recent 24-month period. Envestnet | Yodlee is committed to its security infrastructure in the industry.

Envestnet | Yodlee has been a leading provider of cloud-based financial technology services to global financial institutions and innovators for almost two decades. Our risk programs meet not only their expectations, but also some of the most stringent security, privacy and compliance standards in the world.

Information Security

Yodlee’s Security Office focuses on three main areas of security:

  • Information Security
  • Network Security
  • Application Security

The team manages a comprehensive program of risk-driven policies and procedures to maximize the Information Security Program (ISP), including guidelines and frequent audits. The ISP covers all aspects of the Production, Development, Staging, and Corporate environments as well as vendor relations, BCP, and personnel management.

 

Risk Management

Yodlee prioritizes its comprehensive risk management program designed to intelligently focus resources and efforts to minimize security risk profiles. The process consists of formal risk assessments at the organizational and product level. In addition, risk management is incorporated into all facets of our processes, including integration with application development, data center operations, and internal security processes.

 

Disaster Recovery

Yodlee has formal DR programs for our internal services and our clients’ applications. Our approach requires regular tests of our internal DR and annual testing with clients of their DR option. Our client DR options include contracted RPO and RTO designed to map with our client’s requirements.

 

Best Practices

Yodlee follows industry best practice guidelines in the design and implementation of our network security environment. We use zones to separate our Production, Staging, Development, Corporate, and specialty networks from each other with access control devices between each zone. We further segment networks within each zone in order to apply granular security and audit controls appropriate to each function. Other key controls include:

  • Central bastion hosts
  • Multi-factor authentication
  • Resilient and redundant infrastructure
  • Data encryption
  • Centralized Security Incident and Event Management (SIEM)
 

Skyhigh Enterprise-Ready

Skyhigh Enterprise Ready 

Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.

 

Yodlee’s Compliance with Banking Standards

As a technology service provider to leading global financial institutions an innovators Envestnet | Yodlee follows the security and risk management standards required to engage with consumers and their financial data.  Yodlee is examined by the US Federal Banking Agencies, per the Bank Service Company Act, for the services provided to U.S. financial institutions. For US-based financial institutions, our Report of Examination (RoE) is available from your regulator. On July 10, 2012, the FFIEC issued an information-only document on Outsourced Cloud Computing. They state this type of deployment is subject to the same risk considerations and oversight requirements as more traditional outsourcing arrangements.

 

As the leading provider of personal finance management applications, a pioneer in bringing SaaS applications to the financial industry and an FFIEC supervised Technology Service Provider, Yodlee has been addressing the questions and concerns of outsourced cloud computing for over a decade. We are very pleased that the FFIEC has provided their opinion to help guide institutions as they work to evolve their service provider oversight programs to allow them to capitalize on the benefits of cloud-based services while maintaining their risk posture and adhering to their compliance obligations. More about this process can be found here.

Vulnerability Report Program

We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this web page– to enable us remediate the issues and protect the Envestnet ecosystem. We have developed this program to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith. Learn More »