We take security seriously.
Your data is important to you. It’s important to us, too. In fact, security is our top concern and a core part of Ruby’s value. We understand that you are putting your trust in us, and we want you to know that your information is safe.
Ruby was started by First Horizon National Corporation, a 155-year-old FDIC-insured bank. Ruby’s technology systems are managed with security standards from First Horizon — as a result, we share many of their security, processes, procedures, and even personnel for managing risk.
First Horizon is insured through the Federal Deposit Insurance Corporation (FDIC), an independent government agency. For the FDIC to insure deposits at First Horizon, the bank is required to maintain and prove the safety and soundness of its operations and technology—including Ruby.
Securing Your Data
Within our systems, all of your data is stored using 256-bit encryption with a uniquely derived key. We encrypt every single personally identifiable field in the database, including your name and email address. As with all systems such as ours, the security of your information also depends on you. Choose a strong password (we enforce that as best we can) and never share it with anyone.
The Secure Process
Ruby uses Yodlee to securely connect to more than 15,000 financial institutions across the U.S. During the setup process, you are asked to enter your online banking credentials. These credentials are never shared with Ruby or stored on our servers—they are sent through Yodlee to your bank or credit card provider, who then authorizes an encrypted token to Ruby which provides read-only access to transaction data. Ruby cannot move money or make any changes to your account in any way.
Securing Your Data on the Move
All communications between you and Ruby are encrypted via SSL using 2048-bit certificates, and we require SSL on all communications. We support “perfect forward secrecy” which means that even if someone eavesdrops on your communication, they will still not be able to decrypt the data in the event that our key is compromised.
Operational Procedures to Keep the Site Secure
Ruby follows best practices to keep your data secure. We regularly audit our environments and code for security issues and apply patches expeditiously. We use commercial services that regularly check our site and retain our own security experts to probe and verify the security of our site.
Administrative Access to your Information
We have strict internal procedures preventing any Ruby employee or administrator from gaining access to your account. The only exceptions are the limited data necessary for us to grant you access to your account (i.e. triggering confirmation emails) and restricting access to your account in urgent circumstances. Ruby logs and regularly audits all accesses to your account.
Two Factor Authentication
Security is not just about protecting your data, it’s also about protecting access to your account. By enabling Two Factor Authentication, whenever you sign into Ruby from a new computer, device, or browser, we will send a unique code to your phone that you must include as part of your login. This extra layer of security makes sure that even if an attacker steals your password from you (or from a site that’s less secure than Ruby), he won’t be able to access your information.
The Ruby team is focused on top-of-the-line security. We are implementing a Type II Service Organization Control 2 (SOC 2), which verifies Ruby’s operations meet or exceed defined levels of processes and controls for the security of customer data. Our framework is built on the Center for Internet Security (CIS) Top 20 Critical Security Controls, which is a prioritized set of best practices created to stop threats.