Security
How does Envestnet | Yodlee ensure the security of users’ data?
Envestnet | Yodlee takes financial data security seriously and invests heavily to ensure user data and credentials remain safe and out of the hands of malicious actors. Our security infrastructure is regularly inspected using a comprehensive audit program conducted by the Yodlee Security Office (YSO) that is vetted by our independent auditors and regulatory examiners. To learn more, please go here or contact your salesperson to get in touch with the Yodlee Security Office (YSO).
How do I assure my customers that their credentials are safe?
Envestnet | Yodlee maintains bank-level security and is audited like a bank. The credentials stored are hardware encrypted using FIPS 140-2 level 2 HSM, and the keys used for encryption cannot be accessed by anyone, including Yodlee employees. However, customers have the ability to unregister/delete a user or delete a provider account (user’s provider credentials) via an API that deletes all sensitive information of the user.
Why do I need two authentication tokens to access the Yodlee API?
This refers to authentication used in v1.0 of the Yodlee REST API. This version has been deprecated. Please look here for information on more recent versions of the API and the related authentication methods.
Dual token authentication is in place to ensure that both the cobrand and user have access rights to the Yodlee platform. Yodlee provides best practices for token management to ensure a streamlined and secure integration. User sessions and cobrand sessions can be extended. A user session expires after 30 minutes, and a cobrand session expires after 100 minutes. Create a new user or cobrand session before it expires. Invoke the User Login API or Cobrand Login API accordingly.
After receiving the cobrand session, use the same cobrand session for all subsequent user logins and services for the next 100 minutes until the session expires. Avoid calling the Cobrand Login API to get the cobrand session repeatedly for subsequent API calls, such as user login or data retrieval calls. It is recommended not to call an API multiple times, as this is detrimental to the performance of the services. Avoid calling the User Login API multiple times for a session.