Security & Privacy
We built Carefull to protect you and your loved ones. That means keeping your data private, safe, and secure is critical to everything we do.
Carefull is secure by default and private by design. We build every one of our services with strict data practices that ensure the safety of your data.
We’re also committed to never selling your personal data. Scroll down to read details about the safeguards built into our technology.
Carefull is SOC 2 certified & independently audited for our security practices.
Carefull is the first financial caregiving service to receive its SOC 2 certification. A SOC 2 Report is designed to provide assurances about the effectiveness of security controls at an organization as it relates to security, service availability, processing integrity, confidentiality, and privacy.
An independent CPA firm performed Carefull’s SOC 2 examination and concluded our report with an unqualified (clean) opinion, with zero exceptions identified.
User identity verification ensure you’re really you.
Carefull requires you to validate your identity before receiving any financial notifications from your account. We also require strong passwords and two-factor authentication.
Carefull’s innovative Trusted Contacts system makes financial caregiving secure and read-only.
For many of the 45 million Americans that act as financial caregivers, caregiving involves scribbling passwords on sticky notes, calling bank customer service on behalf of mom or dad, and reading through bank statements for another person.
Thus far, these under-the-table management methods have been the only option — but they also lack privacy and security, and can lead to theft or fraud. Carefull’s Trusted Contacts system allows older adults to share only need-to-know pieces of financial information, without giving others the ability to touch their money. Older adults maintain independence and security, while caregivers still get what they need to support the ones they love.
An “arm’s length” Plaid partnership model ensures the privacy of your banking credentials.
We use Plaid for secure, read-only analysis of financial accounts. Plaid is used by most banks and personal finance management applications in the US—including Venmo, American Express, Capital One, and Wells Fargo—to allow you to safely and confidently connect accounts from other financial institutions.
When you connect your financial accounts to Carefull, your credentials are never stored by Carefull — they are sent through Plaid to your bank or credit card provider. Carefull cannot touch or move money in your accounts, and you can revoke Carefull’s view-only access by unlinking your account at any time.
Data Separation and Encryption
Strict data separation and encryption protect your and your loved one’s personal and financial information.
Carefull has designed its data-handling systems from the outset to minimize data risks by separating customer data into several separate databases, each of which holds either personal data or financial transaction data.
Data is integrated programmatically only at runtime to deliver services to you. Data in transition is always encrypted. All web traffic is sent over Transport Layer Security (TLS) HSTS for privacy and security.
Tokenization provides an extra layer of protection to all sensitive data.
Carefull Vault, which stores important documents, passwords, and contacts, uses a proprietary aliasing system to remove sensitive data from our core systems and replaces it with a corresponding alias. This process keeps your information protected by separating it from your account data. Data is encrypted with a different key per object using military-grade encryption (AES256).
Carefull operates serverlessly on Amazon Web Services to increase the security and stability of all databases.
Carefull is hosted entirely on Amazon Web Services (AWS), a secure online data storage and hosting service that is used by the Department of Defense, NASA, and the Financial Industry Regulatory Authority (FINRA). Carefull user data is stored on private networks in at least three separate geographic locations and is inaccessible from the outside world. For more specific details about AWS security, please refer to aws.amazon.com/security.
Carefull partners with IdentityForce to protect your Social Security Number and credit information.
We use IdentityForce — a part of TransUnion, one of the three major credit bureaus — to provide an extra layer of protection to your Social Security Number (SSN) data. Carefull never stores your SSN alongside your account data.