Security Policy

The security of your data and personal information is our top priority. We work hard to ensure that your data is kept safe.

Below is an overview of the steps we take, as well as details on what you can do to keep your account secure.

If you have a security issue you would like to report to us, please email us at help@ExPal.ca. We'll endeavour to respond promptly.

What we do to protect you

• We have a strong culture of review to make sure the code we write is robust and secure. We regularly revisit components of the app and harden them.
• We make sure that the connection between your device and our server is always encrypted, ensuring that nobody can intercept your communication.
• We use Cloudflare, a service that accelerates your experience and stops common attacks before they reach our servers.

How you can help protect yourself

• Ensure you use a modern device with an up-to-date operating system and web browser.
• If you have extensions installed on your web browser, make sure they are trustworthy.
• Avoid using the service over untrusted networks.
• If you log into your account on a device that isn't yours, make sure to use safe browsing mode and log out when finished.

What we do to protect you

• All of your data is stored encrypted using AES-256 on our servers and sensitive data such as your password is not stored as clear text.
• Our servers are managed within Amazon’s secure data centers, utilizing Amazon Web Services (AWS) technology.
• Amazon’s data center operations are accredited under ISO 27001, SOC 1 and SOC 2, PCI Level 1, and other industry standards.

How you can help protect yourself

• Use a strong login password.
• Turn on multi-factor authentication (MFA).
• Avoid entering sensitive information (e.g., bank credentials) in transaction notes.

What we do to protect you

• We use Plaid to deliver bank feeds for our customers. We do not store any of your banking credentials.
• All bank and institution feed connections are read-only. We only gather your transactions and display them in ExPal.

How you can help protect yourself

• We recommend enabling multi-factor authentication (MFA) at your bank or financial institution.

What we do to protect you

• We don't store any card details used for billing your subscription; instead, we use Stripe.

How you can help protect yourself

There is nothing extra for you to do to protect yourself.

What we do to protect you

We offer multi-factor authentication to all users. When enabled, an additional code generated by your authenticator device will be required to log in.

How you can help protect yourself

Once logged in, you can enable multi-factor authentication.

What we do to protect you

ExPal logs all active sessions.

How you can help protect yourself

• We recommend monitoring your logs. If you spot any suspicious activity, ensure your devices are secure and change your password immediately.
• Consider ending active sessions if you lose your phone or no longer use a device.

What we do to protect you

Only a strict subset of our personnel are able to access customer data.

Our support team may access your account to diagnose an issue. If you don't want us to access your account, please mention this when contacting us.

Some of our engineering and operations teams have access to customer data, and all personnel are bound by confidentiality agreements. Access to user data is logged and reviewed periodically.

How you can help protect yourself

There is nothing extra for you to do to protect yourself.