guest
notification
notification

Connection Provider and Method

Connection Provider and Method

Urvin uses three providers for authentication and holdings verification - SnapTrade, Mesh and MX. For every broker connection, we have listed the provider and the mechanism that they use to authenticate that you have an account with that broker. Before drilling into each of them, it’s important to understand that overall every provider we use has at least a SOC 2 certification, regular audits and penetration testing.

These firms all have bank-level security. If you trust your money with brokers or transfer agents, you can be confident that our partners have the same level of security as your counterparties/custodians do. If you have concerns about hacking risk with our partners, you should have similar concerns with the counterparties you are using.

The partners we use provide a service generally called “account aggregation.” This is a technology that has been in the market for well over a decade. One of our partners, MX, has been in business for over 10 years. These partners use different methods to authenticate accounts and retrieve holdings, but one important feature across all methods is that they are read-only. Urvin cannot take any actions on your behalf in your connected accounts, neither can our partners. Yes, there is a theoretical risk that if a provider has to store your credentials, and they were hacked, somebody could take an action in your account if you do not have 2-factor authentication setup. 2-factor authentication is very important for you to setup, preferably with an app rather than SMS. However, this possibility is extremely unlikely - these firms use the same level of security as your brokers. But we will never try to tell you what to do - we simply want to provide enough information for you to make your own informed choices given your desire to balance security and the functionality that we can provide once you are authenticated and verified.

For each provider, we will provide you with an overview of their security practices and each method of theirs that we use.

Finicity

Finicity uses two methods to connect your accounts: OAuth and FI Legacy. With all methods, they use strong encryption of all data in-transit and at-rest. OAuth is the method we prefer, where you simply authenticate with your broker, and then authorize Finicity and Urvin to read your positions. OAuth does not expost your credentials to Urvin or Finicity. However, many brokers do not support this method. Finicity offers FI Legacy as an alternative, and certifies those financial institutions that are able to consistently deliver quality data. Urvin only uses certified connections through Finicity. FI Legacy connections require Finicity to pass your credentials to your brokers’ website in order to access your position and transaction data, potentially mimicing human behavior through data scraping. Even with data scraping, Urvin can never see your user credentials. However, those credentials will be stored, encrypted, by Finicity in order to refresh your holdings and ensure that access to verified shareholder communities stays current with your holdings. All of these methods are strictly read-only.

Finicity has best-in-class security practices as they are owned by Mastercard and the longest track record of any of our partners. They are both SOC 2 Type 2 and PCI Level 1 RoC/AoC compliant, and have been in business since 1999.
mc_symbol

MX

MX uses three methods to connect your accounts: OAuth, Data Exchange and Data Scraping. With all methods, they use strong encryption of all data in-transit and at-rest. You can read about each of those methods in the link above. OAuth is the method we prefer, where you simply authenticate with your broker, and then authorize MX and Urvin to read your positions. However, many brokers do not support this method. Data Exchange is an equally secure mechanism that leverages APIs to exchange authentication details and tokens. Neither OAuth or Data Exchange expose your credentials to Urvin or MX. When neither of these methods is available, MX also supports Data Scraping, and may use third-party API providers to help provide this service. Data Scraping requires MX to pass your credentials to your brokers’ website in order to mimic human behavior, enabling them to scrape information. Even with Data Scraping, Urvin can never see your user credentials. However, those credentials will be stored, encrypted, by MX in order to refresh your holdings and ensure that access to verified shareholder communities stays current with your holdings. All of these methods are strictly read-only.

MX has best-in-class security practices and one of the longest track record. They are both SOC 2 and PCI DSS compliant, and have been in business for over 10 years.

Mesh

Mesh uses a method called zero trust authorization.User credentials are entered into a form on our website and immediately encrypted before being transmitted by Mesh to the broker for authentication. Those credentials are not stored on either Urvin’s or Mesh’s platform. The broker generates a token, which Mesh transmits back to Urvin in order to provide refresh functionality. Urvin’s use of Mesh’s libraries is strictly read-only - we have not authorized or enabled any other features. All tokens are stored on Urvin’s side with strong encryption.

As per Mesh’s Terms and Conditions, they cannot sell any individual user data.

SnapTrade

SnapTrade offers three types of broker connections - OAuth, API Key and Password/PIN. OAuth is the method we prefer, where you simply authenticate with your broker, and then authorize SnapTrade and Urvin to read your positions. At no time during the OAuth process are your credentials visible to SnapTrade or Urvin. However, many brokers do not support this method. With API Key and Password/PIN, you provide your credentials to SnapTrade, which they pass to your brokers’ website, enabling them to pull your holdings. Those credentials are stored, encrypted, by SnapTrade in order to refresh your holdings and ensure that access to verified shareholder communities stays current your holdings.

Urvin’s use of SnapTrade is strictly read-only, and all connections made by SnapTrade to your brokers are not enabled for anything other than read-only access.
ToolbarCommand.Underline

Urvin Broker Connector Breakdown

The table below provides information on every broker connection that Urvin offers. For each of them, you can cross-reference the descriptions above to understand exactly how we authorize and connect your account, which vendor and method we use, what data is stored by whom, and what risk that might present. You can make your own personal decision that balances your risk tolerance and desire for security against the features that connecting your broker accounts can unlock.

Broker Provider Method Notes / Risks
Acorns Mesh ZeroTrust -
Alpaca Mesh ZeroTrust -
Bank of America Finicity OAuth -
Binance International Mesh ZeroTrust -
Binance International Direct Mesh ZeroTrust -
Binance US Mesh ZeroTrust -
Bitbuy SnapTrade API Key Encrypted API Key is stored by SnapTrade
Bitfinex Mesh ZeroTrust -
BitfinexDirect Mesh ZeroTrust -
BitFlyer Mesh ZeroTrust -
Bitstamp Mesh ZeroTrust -
Bittrex Mesh ZeroTrust -
BMO (Bank of Montreal) MX Data Scraping or API Encrypted user credentials are stored by MX
Brex Finicity OAuth -
Bux SnapTrade Password Encrypted user credentials are stored by SnapTrade
Capital One Finicity OAuth -
Celsius Mesh ZeroTrust -
CexIo Mesh ZeroTrust -
Chase Finicity OAuth -
Chime Finicity OAuth -
CIBC MX Data Scraping or API Encrypted user credentials are stored by MX
Citibank Finicity OAuth -
Coinbase Mesh ZeroTrust -
Coinbase Pro Mesh ZeroTrust -
Coinlist Mesh ZeroTrust -
ComputerShare - Investor Center Finicity FI Legacy Encrypted user credentials are stored by Finicity
Crypto.com Mesh ZeroTrust -
DEGIRO SnapTrade Password/PIN Encrypted user credentials are stored by SnapTrade
Etoro Mesh ZeroTrust -
ETrade SnapTrade OAuth -
Fidelity Finicity OAuth -
GateIo Mesh ZeroTrust -
Gemini Mesh ZeroTrust -
GO2Bank Finicity OAuth -
Huobi Mesh ZeroTrust -
Interactive Brokers Mesh ZeroTrust -
Kraken Mesh ZeroTrust -
KrakenDirect Mesh ZeroTrust -
KuCoin Mesh ZeroTrust -
Navy Federal Credit Union Finicity OAuth -
OkCoin Mesh ZeroTrust -
Okx Mesh ZeroTrust -
OpenSea Mesh ZeroTrust -
Public Mesh ZeroTrust -
Questrade SnapTrade Password Encrypted user credentials are stored by SnapTrade
Robinhood Mesh ZeroTrust -
Schwab Finicity OAuth -
Sofi MX Data Scraping or API Encrypted user credentials are stored by MX
Stake SnapTrade Password Encrypted user credentials are stored by SnapTrade
Stake Australia SnapTrade Password Encrypted user credentials are stored by SnapTrade
Stash Mesh ZeroTrust -
Sydbank MX Data Scraping or API Encrypted user credentials are stored by MX
TD Ameritrade Mesh ZeroTrust -
TD Bank (USA) Finicity OAuth -
TD Canada MX Data Scraping or API Encrypted user credentials are stored by MX
Tradier SnapTrade OAuth -
Tradestation SnapTrade OAuth -
Upstox SnapTrade OAuth -
USAA Finicity OAuth -
US Bank Finicity OAuth -
Vanguard Mesh ZeroTrust -
Wealthsimple Trade SnapTrade Password Encrypted user credentials are stored by SnapTrade
Webull Mesh ZeroTrust -
Wells Fargo Finicity OAuth -

  • Hub
  • Community
  • Search
Please reload the page to continue
Your session has expired. Refreshing the page will ensure you have access to the most recent information and features.
Reload reload-icon