When reviewing the landscape around financial apps, we noticed a troubling trend — companies making money by selling your financial data, serving ads, and making you the product. We think this is a bad idea, and this deep respect for privacy is a major reason we started Monarch. We are committed to being as transparent as possible about what data we collect and why.
Monarch never stores the user names or passwords to your accounts - this data all flows through our secure third-party data provider partners. Monarch can not move money in or out of your accounts.
Monarch takes data protection and encryption seriously to ensure the security and privacy of our users:
We are SOC2 Type 2 certified. Read more here.
All data is encrypted both at rest and in transit, providing robust protection against unauthorized access during storage and transmission.
We have comprehensive identity and access management controls in place, including single sign-on (SSO), two-factor authentication (2FA), and prompt removal of access upon employee separation to mitigate risks associated with unauthorized personnel.
Data is securely stored in US-based AWS data centers.
Regular penetration testing is conducted on our Monarch web application to identify and address potential vulnerabilities.
Network controls safeguard user data by preventing unauthorized access and ensuring compliance with industry best practices.
On the member side, we offer the ability to turn on multi-factor authentication to protect your Monarch login with an extra security step.
Read more here:
Data provider partners
The data providers that Monarch uses to connect financial accounts are Plaid, Finicity (owned by Mastercard), and MX. We also use Spinwheel to for credit information (optional). The data providers maintain very strict security practices including encryption, role-based access controls at each layer of their infrastructure, publishing a SOC 2 type 2 report, API traffic control, and one of the strongest bug bounty programs in the industry.
You can learn more details about our partners' security practices here: