Data privacy and data security are top priorities for Aster Key. They are the DNA of our business and key to your experience with our product. Aster Key is committed to:
We patented key components of our data privacy and security system in, Patent No. 11,170,130, issued 11/9/2021, titled: “Apparatus, Systems and Methods for Storing User Profile Data on a Distributed Database for Anonymous Verification”
We securely allow you to add verified data from financial institutions you do business with via Plaid or Argyle, to the Aster Key backend (servers), to your Aster Key mobile application on your mobile phone (mobile app), as well as to any lenders you explicitly authorize. In all instances, data is transmitted securely via end-to-end encryption via an HTTPS endpoint. We encrypt all transmitted data using AES-256 bit encryption. We also separate your personal data from your financial data and independently store and encrypt all data at rest.
Aster Key does not commingle your personal data such as your name, social security #, or email with your financial data at any time in transit or when stored. All your personal and financial data is separated in your mobile app and Aster Key never passes them together in the lender API, or when you export to send manually.
Our backend does not store or have direct access to your data in your Aster Key app on your mobile phone. Your data use is controlled by you. The only exception is how we use your mobile phone number to verify you at account setup.
Once the data is formatted it is removed from the Aster Key back end and passed securely to your mobile app. It is now available and stored encrypted (and separated) when at rest in your mobile application.
All data in your mobile application, as well as any non-financial and non-personal data on the Aster Key servers, is encrypted when transmitted and at rest. If a hacker was ever able to penetrate and access any portion of the physical storage on your mobile device it would be incredibly hard to read the data without decryption of the various data stores independently, which is unlikely to happen. The information in your mobile application is a useless string of jumbled random characters and is more secure than website backend data stores and hard to gain access.
Encryption in transit within the Aster Key back end as well as encrypting all data at rest adds another layer of security protection when back end maintenance is needed without compromising data security and privacy. Not even our internal software engineers can see your data passing through our back end. If a hacker gains access to our back end they cannot see your data while it is passed. The limited data stored at rest is secured using the same principles as noted above.
A passphrase is created by you. This is linked to an internal unique identifier (snowflake) that identifies you, anonymously, to our system. As part of the account creation process, you are provided a public anonymous ID that is used when you send your financial data to a lender. I.E, a lender sees your financial data but not your personal information such as your name, address, social security number or email – so at this point you cannot be identified. The final step in account creation is verification of your mobile number which is linked to your internal unique identifier.
You create your (verified) financial profile by logging into your payroll, bank, and investment accounts from your Aster Key app via services such as Plaid,and Argyle which have connections to financial institutions, companies you work for, or payroll companies such as ADP.
When you complete ID Verification, using your Driver’s Lic as an example, your personal information from this document is added to your personal data storage which you can view from the “settings” screen. Personal data, other than first name and email, is not required to send out requests to apply for loan as this is done largely “anonymously”. You transmit additional personal data if you accept the offer.
Aster Key is a native mobile app – only. The website, www.asterkey.com, is for information only and does not store any of your data or tie to your data in any manner.
Only the Aster Key native mobile app, on your mobile phone, has any data functionality. Aster Key is unique because we do not store your data (other than your mobile phone number for verification) on any servers. Your data is stored only on your mobile phone, until you choose to share it.
How to delete the entire app and all your data: At any time you can go to your Aster Key app, in SETTINGS, and under Financial Data, hit the red delete button with the text “this action will delete your account and all data in the app”.
How to delete a single financial institution and corresponding data from your app: Next to the name of the financial institution hit the arrow, then open the 3 dot “more” button. Hit delete.
Your mobile phone (mobile device) is your key to your personal information – as well as all your financial data, both of which are encrypted end to end and stored on your phone.
To maintain your privacy as well as increase the overall safety of your data we do not store your financial and personal data together.
When Aster Key hires full-time W2 employees, it will conduct background checks for all new hires, including verification on the following: Identity verification; National criminal records check; County criminal records check; (U.S. only) Sex offender registry check. We do not currently conduct background checks for our 1099 and consulting firms.
To ensure continuity with respect to securing your data, all employees receive onboarding and systems training, including environment and permissions setup, security policies review, company policies review, and corporate values training. All employees are required to review security policies as part of onboarding and are encouraged to collaborate and enhance our policies during peer reviews. All changes are managed in our GIT repository so engineers can review and collaborate before they become policy. All updates are passed to employees and added to the training.
After our beta period, Aster Key will use a 3rd party to perform annual penetration testing. Your financial and personal data is not exposed during these tests. We create a close of our systems that does not contain any of our customer’s personal or financial data for these tests. All findings linked to vulnerabilities that can be exploited through penetration testing are used to set remediation priorities. The mobile applications go through a security test as part of each new version release.
Aster Key uses signature-based security and algorithm-based security to dynamically identify traffic patterns that align with known attack methods. The key benefit of IDS/IPS is to tightly control the size and make-up of the attack telemetry, using intelligent detection controls at data entry points. The time it takes to automatically remedy new threats, as well as proactive prevention of known threats from accessing the system in the first place. Aster Key utilizes DataDog security monitoring as well as CloudFlare WAF as components in its intrusion detection, protection, and alerting infrastructure.
In the future, along with passphrase login, Aster Key may provide two-factor authentication (2FA) provides additional security to your data stored in the Aster Key application. We highly recommend the use of 2FA as an integral step toward securing your data. Aster Key users can turn on @FA in the settings screen and can use universal second-factor applications like “Authy” or SMS as second factors.
Aster Key uses continuous delivery of enhancements and modifications. All new or modified code changes are committed, tested, shipped, and iterated in a rapid sequence. We use a continuous delivery methodology, which includes pull requests, continuous integration (CI), and automated error tracking. Our goal is and processes are aligned to significantly decrease the likelihood of a security issue. These flows also improve our response time to the effective removal of bugs and vulnerabilities. We use Github release notes and change management through the GitHub SDK to manage our code.
After our beta period, likely after Q3 2024, we will consider completing the following compliance certifications including but not limited to: SOC2 Type I; SOC2 Type II, and HIPAA Attestation.
Aster Key is GDPR compliant.
Aster Key is CCPA compliant. Our Data CCPA data processing overview provides assurances and a path to learn how your data is used as well as a way to clear out your data. Aster Key does not retain, use, or disclose personal data. You maintain all your personal data on your device within the Aster Key app. You control when and how it is used. Aster Key does not “sell” Personal Data within the meaning under the CCPA.