Urvin uses three providers for authentication and holdings verification - SnapTrade, Mesh and MX. For every broker connection, we have listed the provider and the mechanism that they use to authenticate that you have an account with that broker. Before drilling into each of them, it’s important to understand that overall every provider we use has at least a SOC 2 certification, regular audits and penetration testing.
These firms all have bank-level security. If you trust your money with brokers or transfer agents, you can be confident that our partners have the same level of security as your counterparties/custodians do. If you have concerns about hacking risk with our partners, you should have similar concerns with the counterparties you are using.
The partners we use provide a service generally called “account aggregation.” This is a technology that has been in the market for well over a decade. One of our partners, MX, has been in business for over 10 years. These partners use different methods to authenticate accounts and retrieve holdings, but one important feature across all methods is that they are read-only. Urvin cannot take any actions on your behalf in your connected accounts, neither can our partners. Yes, there is a theoretical risk that if a provider has to store your credentials, and they were hacked, somebody could take an action in your account if you do not have 2-factor authentication setup. 2-factor authentication is very important for you to setup, preferably with an app rather than SMS. However, this possibility is extremely unlikely - these firms use the same level of security as your brokers. But we will never try to tell you what to do - we simply want to provide enough information for you to make your own informed choices given your desire to balance security and the functionality that we can provide once you are authenticated and verified.
For each provider, we will provide you with an overview of their security practices and each method of theirs that we use.
Finicity uses two methods to connect your accounts: OAuth and FI Legacy. With all methods, they use strong encryption of all data in-transit and at-rest. OAuth is the method we prefer, where you simply authenticate with your broker, and then authorize Finicity and Urvin to read your positions. OAuth does not expost your credentials to Urvin or Finicity. However, many brokers do not support this method. Finicity offers FI Legacy as an alternative, and certifies those financial institutions that are able to consistently deliver quality data. Urvin only uses certified connections through Finicity. FI Legacy connections require Finicity to pass your credentials to your brokers’ website in order to access your position and transaction data, potentially mimicing human behavior through data scraping. Even with data scraping, Urvin can never see your user credentials. However, those credentials will be stored, encrypted, by Finicity in order to refresh your holdings and ensure that access to verified shareholder communities stays current with your holdings. All of these methods are strictly read-only.
MX uses three methods to connect your accounts: OAuth, Data Exchange and Data Scraping. With all methods, they use strong encryption of all data in-transit and at-rest. You can read about each of those methods in the link above. OAuth is the method we prefer, where you simply authenticate with your broker, and then authorize MX and Urvin to read your positions. However, many brokers do not support this method. Data Exchange is an equally secure mechanism that leverages APIs to exchange authentication details and tokens. Neither OAuth or Data Exchange expose your credentials to Urvin or MX. When neither of these methods is available, MX also supports Data Scraping, and may use third-party API providers to help provide this service. Data Scraping requires MX to pass your credentials to your brokers’ website in order to mimic human behavior, enabling them to scrape information. Even with Data Scraping, Urvin can never see your user credentials. However, those credentials will be stored, encrypted, by MX in order to refresh your holdings and ensure that access to verified shareholder communities stays current with your holdings. All of these methods are strictly read-only.
Mesh uses a method called zero trust authorization.User credentials are entered into a form on our website and immediately encrypted before being transmitted by Mesh to the broker for authentication. Those credentials are not stored on either Urvin’s or Mesh’s platform. The broker generates a token, which Mesh transmits back to Urvin in order to provide refresh functionality. Urvin’s use of Mesh’s libraries is strictly read-only - we have not authorized or enabled any other features. All tokens are stored on Urvin’s side with strong encryption.
SnapTrade offers three types of broker connections - OAuth, API Key and Password/PIN. OAuth is the method we prefer, where you simply authenticate with your broker, and then authorize SnapTrade and Urvin to read your positions. At no time during the OAuth process are your credentials visible to SnapTrade or Urvin. However, many brokers do not support this method. With API Key and Password/PIN, you provide your credentials to SnapTrade, which they pass to your brokers’ website, enabling them to pull your holdings. Those credentials are stored, encrypted, by SnapTrade in order to refresh your holdings and ensure that access to verified shareholder communities stays current your holdings.
The table below provides information on every broker connection that Urvin offers. For each of them, you can cross-reference the descriptions above to understand exactly how we authorize and connect your account, which vendor and method we use, what data is stored by whom, and what risk that might present. You can make your own personal decision that balances your risk tolerance and desire for security against the features that connecting your broker accounts can unlock.
Broker | Provider | Method | Notes / Risks |
---|---|---|---|
Acorns | Mesh | ZeroTrust | - |
Alpaca | Mesh | ZeroTrust | - |
Bank of America | Finicity | OAuth | - |
Binance International | Mesh | ZeroTrust | - |
Binance International Direct | Mesh | ZeroTrust | - |
Binance US | Mesh | ZeroTrust | - |
Bitbuy | SnapTrade | API Key | Encrypted API Key is stored by SnapTrade |
Bitfinex | Mesh | ZeroTrust | - |
BitfinexDirect | Mesh | ZeroTrust | - |
BitFlyer | Mesh | ZeroTrust | - |
Bitstamp | Mesh | ZeroTrust | - |
Bittrex | Mesh | ZeroTrust | - |
BMO (Bank of Montreal) | MX | Data Scraping or API | Encrypted user credentials are stored by MX |
Brex | Finicity | OAuth | - |
Bux | SnapTrade | Password | Encrypted user credentials are stored by SnapTrade |
Capital One | Finicity | OAuth | - |
Celsius | Mesh | ZeroTrust | - |
CexIo | Mesh | ZeroTrust | - |
Chase | Finicity | OAuth | - |
Chime | Finicity | OAuth | - |
CIBC | MX | Data Scraping or API | Encrypted user credentials are stored by MX |
Citibank | Finicity | OAuth | - |
Coinbase | Mesh | ZeroTrust | - |
Coinbase Pro | Mesh | ZeroTrust | - |
Coinlist | Mesh | ZeroTrust | - |
ComputerShare - Investor Center | Finicity | FI Legacy | Encrypted user credentials are stored by Finicity |
Crypto.com | Mesh | ZeroTrust | - |
DEGIRO | SnapTrade | Password/PIN | Encrypted user credentials are stored by SnapTrade |
Etoro | Mesh | ZeroTrust | - |
ETrade | SnapTrade | OAuth | - |
Fidelity | Finicity | OAuth | - |
GateIo | Mesh | ZeroTrust | - |
Gemini | Mesh | ZeroTrust | - |
GO2Bank | Finicity | OAuth | - |
Huobi | Mesh | ZeroTrust | - |
Interactive Brokers | Mesh | ZeroTrust | - |
Kraken | Mesh | ZeroTrust | - |
KrakenDirect | Mesh | ZeroTrust | - |
KuCoin | Mesh | ZeroTrust | - |
Navy Federal Credit Union | Finicity | OAuth | - |
OkCoin | Mesh | ZeroTrust | - |
Okx | Mesh | ZeroTrust | - |
OpenSea | Mesh | ZeroTrust | - |
Public | Mesh | ZeroTrust | - |
Questrade | SnapTrade | Password | Encrypted user credentials are stored by SnapTrade |
Robinhood | Mesh | ZeroTrust | - |
Schwab | Finicity | OAuth | - |
Sofi | MX | Data Scraping or API | Encrypted user credentials are stored by MX |
Stake | SnapTrade | Password | Encrypted user credentials are stored by SnapTrade |
Stake Australia | SnapTrade | Password | Encrypted user credentials are stored by SnapTrade |
Stash | Mesh | ZeroTrust | - |
Sydbank | MX | Data Scraping or API | Encrypted user credentials are stored by MX |
TD Ameritrade | Mesh | ZeroTrust | - |
TD Bank (USA) | Finicity | OAuth | - |
TD Canada | MX | Data Scraping or API | Encrypted user credentials are stored by MX |
Tradier | SnapTrade | OAuth | - |
Tradestation | SnapTrade | OAuth | - |
Upstox | SnapTrade | OAuth | - |
USAA | Finicity | OAuth | - |
US Bank | Finicity | OAuth | - |
Vanguard | Mesh | ZeroTrust | - |
Wealthsimple Trade | SnapTrade | Password | Encrypted user credentials are stored by SnapTrade |
Webull | Mesh | ZeroTrust | - |
Wells Fargo | Finicity | OAuth | - |