We take security and data access seriously at Approve Owl. Making the data collection process secure is core to our product.


The Approve Owl Team does not access or interact with an organization’s data as part of normal operations. There are cases where an organization can requests that we access their data, or where required by law. However, we do analyze anonymous, aggregate data for internal business purposes. See our privacy policy for details.

Applicant data is access with a one-time password (OTP) tied to a physical device.

For organization users, password storage is one-way salted and hashed using multiple iterations of a key derivation function for passwords. Organization user access can also be managed by a third-party authorization suite such as Microsoft Azure Active Directory.

We prevent brute force attacks on our systems with request rate limiting and exponential time delays.

Data Retention

If a member of your organization chooses to delete an applicant profile or if an applicant chooses to delete their own profile, We do not simply mark the profile as inactive. We completely destroy all related applicant data.

We retain profile data for a period of time after a profile expires, unless deletion is manually invoked as described above.

Once a profile has become inactive beyond the period of time described in your organization’s configuration, we will delete the related data.


Our entire infrastructure is built on Heroku, which in turn is built on the technology of Amazon Web Services (AWS). This is the same technology trusted by government agencies. Amazon continually manages risk and undergoes recurring assessments to comply with industry standards. Heroku’s entire security policy is here. Amazon’s physical infrastructure (and thus Heroku’s), are accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)


PCI is an security standard that companies must adhere to when processing credit cards. We use PCI certified payment providers (Stripe and QuickBooks depending on invoicing) to process our credit cards, and have engineered our payment forms in such a way that your payment details are sent directly to their systems rather than ours, further increasing security.

Approve Owl does not store any organization or applicant payment details that would need to be governed by PCI.

Financial Institution Data

In order to provide access to financial details, we partner with financial data aggregation specialists Plaid. In the context of Approve Owl, data aggregation is the process of collecting your accounts and transaction data from your financial institution and transmitting it to Approve Owl. You authorize the aggregator to carry out this process on Approve Owl’s behalf. You can learn more about Plaid’s individual security policies and practices on their website.

During this process, Approve Owl does not view or store your bank credentials, but relies upon our partners and their industry-leading security precautions to ensure your information is safe.

Some financial institutions enable connections through a method called OAuth. OAuth allows Approve Owl to access your account and transaction data without you having to provide your online banking credentials to an intermediary—in this case Plaid. Instead, you can authenticate directly with your financial institution, who gives permission (through a digital token) for Plaid to receive the account and transaction information.


All data sent between a user or applicant and Approve Owl is bank-grade or better encryption. Approve Owl forces browsers to use an encrypted connection and won’t let your computer talk to our servers unless that connection is secure.

Specifically around the traffic encryption, we use an extremely high level of encryption, considered industry standard.


Your data is encrypted at rest when stored on our servers. That means that even IF someone could break in and steal the hard drives where your data is stored, they couldn’t read it. We also encrypt sensitive data such as social security numbers and other personally identifiable information (PII) within the database using a 256-bit encryption (AES-256-GCM).


We also encrypt all uploaded documents with a 256-bit encryption (AES-256-GCM) before being stored on AWS S3. So even if a document was accessable directly from S3, it could not be viewed.

Further reading

If you need to get our attention about anything else security related, please do so at To learn more about how we protect your data from a legal standpoint, please view our privacy policy and terms of use.