Envestnet | Yodlee’s commitment to its clients and their customers
The Envestnet | Yodlee Financial Data Platform powers digital financial services for financial wellness, responsible lending, advice and risk management. More than 1,100 global financial institutions, fintech providers and advisors offer Envestnet | Yodlee powered solutions to millions of consumers worldwide. Envestnet | Yodlee is the platform of choice for these clients as we provide a centralized and secure means for their consumers to access and share their finances.
Envestnet | Yodlee also offers data analytics and market research services. These services make use of de-identified data derived from the massive and dynamic set of transaction-level data about its clients’ customers who have permitted their institution to share data with Envestnet | Yodlee.
Envestnet | Yodlee provides our services to our clients via comprehensive contracts that detail our obligations for security, privacy, compliance, and risk management. In addition, clients have the right to receive our independent audits and assessments, as well as conduct their own assessments of the security and operations of the Envestnet | Yodlee Platform. We welcome this level of scrutiny as it makes us better. We take all feedback from our clients seriously and use it to evolve our programs to ensure that we continue to deliver on our commitments to them to help enable and protect you, their customers.
We understand that our Clients’ customers may have questions about Envestnet | Yodlee and the role we play in the tools they’ve selected to help them with their financial health. The information we provide here addresses what we think you’d like to know to be an informed customer.
Envestnet | Yodlee Operates By Customer Consent
Envestnet | Yodlee is a technology services provider to our Clients, each party operating under strict requirements set down in the agreements with each client. Per these agreements, our clients are required to obtain permission from you, their customer, to collect, use, transmit, and store their customers’ financial information with Yodlee. Regardless of the solution, it is therefore our Client’s Terms of Service and Privacy Notice that define their legal relationship with you and form the basis of the instructions they give us to operate on your behalf.
Yodlee Protects User Data
Envestnet | Yodlee has comprehensive programs for security, privacy, risk, and compliance. These programs adhere to financial industry standards and are overseen by an independent dedicated team of security and risk practitioners. Envestnet | Yodlee uses commercially available security products and technologies, including hardware and software data encryption, as part of our multi-layer defense-indepth security architecture, as well as continuous monitoring by our 24×7 Security Operations Center to protect customers’ confidential information.
We regularly engage independent third-party security auditors to assess and test the Envestnet | Yodlee security architecture and our programs. Most of Envestnet | Yodlee’s financial institution clients also conduct their own comprehensive audits. Envestnet | Yodlee services to US financial institutions are
also examined by federal regulatory agencies with supervisory authority over financial institutions, including the Office of the Comptroller of the Currency (“OCC”).
Yodlee Protects User Identity
Protecting the personal information of individuals who use Envestnet | Yodlee products and services provided by their financial institutions and other entities is Envestnet | Yodlee’s top priority. Envestnet | Yodlee does not typically receive any information about users from clients that is considered personally identifiable information (“PII”) under applicable laws and regulations. Envestnet | Yodlee nevertheless handles all individuals’ data that it receives to minimize the potential exposure of any potential personally identifiable information. This means that data used for Envestnet | Yodlee’s analytics and market research data sets are de-identified of individually identifiable information. Envestnet | Yodlee’s transaction level scrubbing is reviewed through internal audits and is checked by leading third party security and privacy experts.
Yodlee Complies with Regulations and Standards
As a global organization engaged in the financial services market, Envestnet | Yodlee must comply with regulations and standards related to security, privacy, and operational risk. The Envestnet | Yodlee security program is aligned with and assessed against international standards, such as the ISO27002 Information Security Management Standard and the PCI-DSS Payment Card Security Standard, as well as the prudential banking, consumer protection and the privacy regulations of the regions in which we operate. Yodlee provides the results of these assessments to its clients to assure that Envestnet | Yodlee is meeting their, and your, expectations. In addition to these global standards, our security and privacy programs follow internationally recognized principles and are aligned with the following:
Envestnet | Yodlee adheres to the FFIEC IT Examination guidelines as applicable to a Technology Services Provider to US chartered financial institutions. We support and endorse principles for consumer-permissioned aggregation published by the Consumer Finance Protection Board and the Center for Financial Services Innovation. Envestnet | Yodlee also adheres to NACHA requirements for our payment services
Envestnet | Yodlee complies with the General Data Protection Regulation (GDPR) as a data processor to our Clients, who are your data controller. Yodlee has the required technical and organizational safeguards to ensure that the personal data of customers are protected and that, through the data controller, customers’ rights over their data are satisfied.
Yodlee has operated in Europe since 2002 as a data processor under the EU Data Protection Act (DPA). Envestnet | Yodlee’s privacy data handling program has consistently received independent validation by TrustARC (formerly TRUSTe) for US-EU Safe Harbour, US-Swiss Safe Harbour and now EU and Swiss Privacy Shield. Envestnet | Yodlee has, and will continue to execute EU Standard Contract Clauses with clients who desire that additional level of assurance. The Envestnet | Yodlee Financial Data Platform and the processes that we use to develop, deliver, and support our services have mature safeguards and governance overseen by an independent security, privacy, risk, and compliance function, as well as receives regular certification by independent assessors and clients.
As a data processor, we support our clients by powering their solutions and protecting their customers following GDPR’s tenants:
You need to know what data about you is collected, with whom it is shared, where it’s stored and for how long. Using Envestnet | Yodlee’s APIs, our clients manage this data collection and storage though-out their customer journey. We also provide our clients with transparent access to the information they need to communicate with you about Envestnet | Yodlee’s processing role.
Envestnet | Yodlee’s Services are 100% customer permissioned.
Access & Portability
Using our Services, clients can allow their customers to access and download their data when they want it.
Warnings and Breach Notifications
Our contract with our clients requires that we notify them of a data breach or any unauthorized access to their customers’ data. We have robust security incident detection and management programs that meet rigorous financial industry standards.
We do not market to our clients’ customers. In fact, we are prohibited from doing so per our contract with them.
If the Envestnet | Yodlee’s Services are used for processing applications for loans or making other decisions or advice, we have additional safeguards and governance controls to support these compliance requirements.
Envestnet | Yodlee maintains bank-grade security safeguards for our entire Platform to protect customers’ data from external and internal threats.
EU Clients who deploy in Envestnet | Yodlee’s US data centres, may rely on our Privacy Shield compliance status or may request Controller-to-Processor Standard Contract Clauses.
Right to be Forgotten
Customers’ information may be updated or deleted using Envestnet | Yodlee’s APIs from within the application or as separate administrative functions. As the data controller, customers’ personal data is fully under their control.
Protecting the personal information of Canadian customers who use Envestnet | Yodlee products and services provided by their financial institutions and other entities is a top priority at Yodlee. We understand the importance of protecting the personal information of our Canadian customers and we work with our clients to ensure we handle personal information in a responsible and transparent
manner. To gain and maintain your trust/ confidence, we embrace the ten Fair Information Principles attached to the Personal Information Protection and Electronic Documents Act (PIPEDA).
Should you have any inquiries regarding the safeguarding and protection of your personal information, please contact the provider of the Envestnet | Yodlee-powered service or Envestnet | Yodlee Customer Care.
Identifying the purposes for collecting, using and sharing personal information
In order to use your Envestnet | Yodlee-powered services, you must link the financial accounts whose data you wish to provide to your service provider. We will collect your usernames and password in order to access these accounts on your behalf and provide the data to your service provider. We will only use your credentials and the data we retrieve on your behalf to provide our services to your provider. As with most online businesses, Envestnet | Yodlee logs information about your access and use of the Envestnet | Yodlee Platform.
Organization using the Envestnet | Yodlee Financial Data Platform are required to have obtained your permission to collect, use, transmit, and store your financial information with Envestnet | Yodlee. This information often includes data such as credentials, account numbers, portfolio holdings, credit card data, transactions, and balances.
Envestnet | Yodlee reserves the right to share aggregated information with third parties in which case personal information about you will never be disclosed. This means that data utilized in Envestnet | Yodlee analytics and market research data sets are de-identified of individually identifiable information.
Envestnet | Yodlee reserves the right to disclose your personal information as required by law and when we believe that disclosure is necessary to protect our rights and/or comply with a judicial proceeding, court order, or legal process served on Yodlee.
Your provider of an Envestnet | Yodlee-powered service instructs us to access and provide the data they need, and that you’ve authorized, for their solution. Envestnet | Yodlee complies with these instructions to only access, store and provide that data.
Limiting Use, Disclosure, and Retention
In connection with your use of a Envestnet | Yodlee-powered services, Envestnet | Yodlee will collect and retain your personal information, both the information you provide directly and the information we obtain from third party sites, for as long as you are an active user of that Envestnet | Yodlee-powered service or until we instructions from our client. Should you decide to cancel your use of the Envestnet | Yodlee-powered service, we will discontinue the collection of information from third party sites on your behalf.
We reserve the right to retain the information collected up to the date of your cancellation of the Envestnet | Yodlee-powered service. This data will always be maintained under the same security and privacy controls that are in place for active users. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
The information we have about you is provided by our client or obtained from the third party sites from which you authorize us to collect your data. Therefore you must provide accurate information to these parties to enable us to operate on your behalf. To change this information and other personal information from third party providers, you will need to follow the procedures set forth by the thirdparty providers themselves.
At Envestnet | Yodlee, the security of your personal information is important to us.
We understand the need for our customers’ personal data to be completely secure and private, and we have designed and deployed (as a part of the Envestnet | Yodlee Services) a state-of-the-art system to protect our customer’s’ personal information. Envestnet | Yodlee maintains physical, electronic, and procedural safeguards that comply with federal standards to guard your personal information held by Envestnet | Yodlee relative to the Envestnet | Yodlee Services.
When you entrust your credentials to us, we encrypt that information using strong encryption and store them in our databases. The Envestnet | Yodlee databases are logically and physically protected at a secure, third party site and are monitored by security personnel twenty-four hours a day.
Transparency is not only a requirement of Canada’s privacy principles, it’s necessary to maintain the trust of our Clients and their Customers. Your provider of Envestnet | Yodlee-powered services has been provided with comprehensive documentation about our security, privacy, and compliance programs and conducts their own assessments to ensure we are meeting their, and your, expectations. We engage with regulators and industry to promote good practices for consumer protection and data security.
Individual Access When your provider enables your Envestnet | Yodlee-powered services, they register you using a generic user ID (GUID) that is only meaningful to them. For this reason, we cannot readily identify you in our database to provide you with direct access to the information we have about you. Therefore, please work with your service provider for any such requests and we will work them to provide you with this information. If that is not possible, please contact Envestnet |Yodlee Customer Care.
Envestnet | Yodlee has clear procedures in place to receive and respond to complaints or inquiries about our practices relating to the handling of your personal information. Please contact the provider of your Envestnet Yodlee-powered service or contact Envestnet | Yodlee Customer Care with any questions or concerns.
Yodlee adheres to applicable aspects of the Australian Privacy Principles in our role as a service provider to our clients.
Yodlee adheres to applicable aspects of the Protection of Personal Information regulation in our role as a service provider to our clients.
Yodlee adheres to applicable aspects of the The Privacy Act in our role as a service provider to our clients.