Data Privacy Policy

Last revision: February 13, 2024

Preamble

Data privacy and data security are top priorities for Aster Key. They are the DNA of our business and key to your experience with our product. Aster Key is committed to:

• securing your financial and personal data
• eliminating systems vulnerabilities
• ensuring your ability to start your financing journey in an anonymous mode
• never selling your data behind your back

We patented key components of our data privacy and security system in, Patent No. 11,170,130, issued 11/9/2021, titled: “Apparatus, Systems and Methods for Storing User Profile Data on a Distributed Database for Anonymous Verification”

Data through the Aster Key System

We securely allow you to add verified data from financial institutions you do business with via Plaid or Argyle, to the Aster Key backend (servers), to your Aster Key mobile application on your mobile phone (mobile app), as well as to any lenders you explicitly authorize. In all instances, data is transmitted securely via end-to-end encryption via an HTTPS endpoint. We encrypt all transmitted data using AES-256 bit encryption. We also separate your personal data from your financial data and independently store and encrypt all data at rest.
Aster Key does not commingle your personal data such as your name, social security #, or email with your financial data at any time in transit or when stored. All your personal and financial data is separated in your mobile app and Aster Key never passes them together in the lender API, or when you export to send manually.

Our backend does not store or have direct access to your data in your Aster Key app on your mobile phone. Your data use is controlled by you. The only exception is how we use your mobile phone number to verify you at account setup.

Mobile Application Data

Once the data is formatted it is removed from the Aster Key back end and passed securely to your mobile app. It is now available and stored encrypted (and separated) when at rest in your mobile application.

Data Encryption

All data in your mobile application, as well as any non-financial and non-personal data on the Aster Key servers, is encrypted when transmitted and at rest. If a hacker was ever able to penetrate and access any portion of the physical storage on your mobile device it would be incredibly hard to read the data without decryption of the various data stores independently, which is unlikely to happen. The information in your mobile application is a useless string of jumbled random characters and is more secure than website backend data stores and hard to gain access.

Aster Key Server Communication

Encryption in transit within the Aster Key back end as well as encrypting all data at rest adds another layer of security protection when back end maintenance is needed without compromising data security and privacy. Not even our internal software engineers can see your data passing through our back end. If a hacker gains access to our back end they cannot see your data while it is passed. The limited data stored at rest is secured using the same principles as noted above.

Where and how your data is stored

Create Account 

A passphrase is created by you. This is linked to an internal unique identifier (snowflake) that identifies you, anonymously, to our system. As part of the account creation process, you are provided a public anonymous ID that is used when you send your financial data to a lender. I.E, a lender sees your financial data but not your personal information such as your name, address, social security number or email – so at this point you cannot be identified. The final step in account creation is verification of your mobile number which is linked to your internal unique identifier.

• A passphrase is easier for humans to remember, eliminating the tendency for users to create weak usernames and passwords, and better than an email that can be used to identify you. 4-5 word passphrases using only lower and uppercase letters (no numbers or symbols or spaces), such as picktraitGoatGifts, are very secure. You should not use any personal information or common phrases, such as “ToBeOrNotToBe”, in your Passphrase
• We pass your public anonymous ID with your financial data.
• We never pass your personal info with your financial data as it is stored independently

Financial Profile Data

You create your (verified) financial profile by logging into your payroll, bank, and investment accounts from your Aster Key app via services such as Plaid,and Argyle which have connections to financial institutions, companies you work for, or payroll companies such as ADP.

• Aster Key does not have access to, see, or store your login information to your accounts. A secure connection is made that we do not have control over or visibility into.
• The access is “read-only”. We can’t do any “transactions” through these accounts. The information from your accounts is used to access/create your verified information in your financial profile.
• To maintain a high level of security, Aster Key does not store your financial data on our servers. Your financial data is aggregated and passed to your mobile app encrypted within milliseconds. We also use end-to-end encryption which adds to the security of your data. Our end-to-end encryption blocks website providers or government agencies from viewing the data in transit, which is more secure than relying on and using HTTPS which has more vulnerabilities.
• Your encrypted financial data is not readable or visible in your phone’s keychain/keystore secure storage by 3rd parties who scan storage. We also encrypt the data stored in the Aster Key keychain/Keystore on your mobile device.
• Your financial data and your personal data are stored and encrypted independently with unique keys which adds another level of complexity aiding the security of your data.
• A blockchain proof/hash is created of your financial data via an Ethereum sidechain and then uploaded to Ethereum Mainnet. Your financial proof/hash ensures your data can be verified and acts as a counterbalance if any 3rd party would try to manipulate your information. This further protects your data as well as ensures its integrity.
• Our goal is to have this hash used as verification of your financial data as blockchain becomes embedded in risk analysis systems.
• Aster Key does not store or have access to your financial data as it is stored and controlled by you inside the app. You are in complete control over who sees your financial data.

Personal Data (also referred to as personal information)

When you complete ID Verification, using your Driver’s Lic as an example, your personal information from this document is added to your personal data storage which you can view from the “settings” screen. Personal data, other than first name and email, is not required to send out requests to apply for loan as this is done largely “anonymously”. You transmit additional personal data if you accept the offer.

• Personal data consists of data such as your legal name, home address, email address, mobile phone #, social security #
• Personal data (except your mobile phone number which is used to verify your device) is only stored on your mobile phone. It is encrypted and stored independently from your financial data for added security. It is not readable or visible in your phone’s storage.
• Aster Key does not store your personal data on its servers (except for mobile phone #).
• You control who sees your personal data, as only you can send it. When you hit apply we only send your personal data encrypted and also use end-to-end encryption which adds to the security of your data.
• We never send your personal data comingled with your financial data to increase security.
• You do not have to add personal data to send your financial data out for offers, you can do this later.

How to delete your account and delete your data

Aster Key is a native mobile app – only.  The website, www.asterkey.com,  is for information only and does not store any of your data or tie to your data in any manner.

Only the Aster Key native mobile app, on your mobile phone, has any data functionality.  Aster Key is unique because we do not store your data (other than your mobile phone number for verification) on any servers. Your data is stored only on your mobile phone, until you choose to share it.

How to delete the entire app and all your data: At any time you can go to your Aster Key app, in SETTINGS, and under Financial Data, hit the red delete button with the text “this action will delete your account and all data in the app”.

How to delete a single financial institution and corresponding data from your app:  Next to the name of the financial institution hit the arrow, then open the 3 dot “more” button.  Hit delete.

New mobile phone, or loss of your mobile phone

Your mobile phone (mobile device) is your key to your personal information – as well as all your financial data, both of which are encrypted end to end and stored on your phone.

• If you lose your phone or upgrade to a new phone, it will result in the loss of your financial data as well as your personal data.
• There is no “recovery” of your data – as Aster Key does not store your financial data or personal data on its servers.
• Your offers are recoverable as long as you remember your passphrase and maintain the same phone number – or have written down your anonymous public id.
• In the future, 1) we may enable an encrypted backup, that you can store, which will allow you to “reload” your data from the backup, and 2) you will be able to export your data, which will be password protected, and allow you to take your data with you and view it outside of the Aster Key app, i.e., if you want to provide a copy of your financial profile to an entity that is not in the Aster Key ecosystem.

No personal data and financial data commingling

To maintain your privacy as well as increase the overall safety of your data we do not store your financial and personal data together.

• Your personal data and financial data are not stored together on your mobile
• Your personal data and financial data is all stored and encrypted independently
• Financial data sent to the blockchain to create your proof does not include any personal information. This further secures and separates your financial and personal data on your device or on the blockchain, so a 3rd party cannot tie the two together.
• Financial data sent to lenders is always sent using your public anonymous ID. It is NEVER sent with your personal data

Benefits to Aster Key’s anonymous financial data transmission, and no commingling of personal and financial data

• You no longer have to fill out online or paper applications
• You can anonymously apply to lenders (1 at a time) for multiple offers with the press of a button.
• You do not have to go through the “security-challenged” application processes.  Current lending processes and financial apps expose you to passing your personal and financial data at the same time in transit as part of their processes, and/or use your personal or financial information for marketing purposes – and this increases the risk of being exposed in a server hack to any of these entities
• If we are successful, a long-term benefit of a consumer-provisioned financial profile is the reduced reliance on credit agencies storing and selling your data without your permission.

Employee Screening

When Aster Key hires full-time W2 employees, it will conduct background checks for all new hires, including verification on the following: Identity verification; National criminal records check; County criminal records check; (U.S. only) Sex offender registry check. We do not currently conduct background checks for our 1099 and consulting firms.

Security Training

To ensure continuity with respect to securing your data, all employees receive onboarding and systems training, including environment and permissions setup, security policies review, company policies review, and corporate values training. All employees are required to review security policies as part of onboarding and are encouraged to collaborate and enhance our policies during peer reviews. All changes are managed in our GIT repository so engineers can review and collaborate before they become policy. All updates are passed to employees and added to the training.

Penetration Testing

After our beta period, Aster Key will use a 3rd party to perform annual penetration testing. Your financial and personal data is not exposed during these tests. We create a close of our systems that does not contain any of our customer’s personal or financial data for these tests. All findings linked to vulnerabilities that can be exploited through penetration testing are used to set remediation priorities. The mobile applications go through a security test as part of each new version release.

Intrusion detection and prevention systems (IDS/IPS)

Aster Key uses signature-based security and algorithm-based security to dynamically identify traffic patterns that align with known attack methods. The key benefit of IDS/IPS is to tightly control the size and make-up of the attack telemetry, using intelligent detection controls at data entry points. The time it takes to automatically remedy new threats, as well as proactive prevention of known threats from accessing the system in the first place. Aster Key utilizes DataDog security monitoring as well as CloudFlare WAF as components in its intrusion detection, protection, and alerting infrastructure.

Two-Factor Authentication

In the future, along with passphrase login, Aster Key may provide two-factor authentication (2FA) provides additional security to your data stored in the Aster Key application. We highly recommend the use of 2FA as an integral step toward securing your data. Aster Key users can turn on @FA in the settings screen and can use universal second-factor applications like “Authy” or SMS as second factors.

Securing Application Development Lifecycle

Aster Key uses continuous delivery of enhancements and modifications. All new or modified code changes are committed, tested, shipped, and iterated in a rapid sequence. We use a continuous delivery methodology, which includes pull requests, continuous integration (CI), and automated error tracking. Our goal is and processes are aligned to significantly decrease the likelihood of a security issue. These flows also improve our response time to the effective removal of bugs and vulnerabilities. We use Github release notes and change management through the GitHub SDK to manage our code.

Compliance Certifications

After our beta period, likely after Q3 2024, we will consider completing the following compliance certifications including but not limited to: SOC2 Type I; SOC2 Type II, and HIPAA Attestation.

GDPR (General Data Protection Regulation, European Union)

Aster Key is GDPR compliant.

CCPA (California Consumer Privacy Act)

Aster Key is CCPA compliant. Our Data CCPA data processing overview provides assurances and a path to learn how your data is used as well as a way to clear out your data. Aster Key does not retain, use, or disclose personal data. You maintain all your personal data on your device within the Aster Key app. You control when and how it is used. Aster Key does not “sell” Personal Data within the meaning under the CCPA.