Envestnet | Yodlee’s commitment to its clients and to consumers
Envestnet | Yodlee adheres to leading industry practices for data security, regulatory compliance, and privacy. Importantly, Envestnet | Yodlee does not sell data that identifies consumers.
Envestnet | Yodlee’s data aggregation platform enables financial institutions, registered investment advisors, and fintechs to help consumers achieve better financial outcomes through their innovative products and services. Our data aggregation platform is used primarily to support financial service providers and their various products and services, which enable consumers to experience benefits like garnering better financial visibility, better investment returns, and the resultant improvements to their overall financial wellness. Envestnet | Yodlee requires all aggregation clients to comply with applicable and relevant laws and regulations.
Additionally, Envestnet | Yodlee supports de-identified data analytics and insights for institutional investors and investment research providers so they can better manage investments on behalf of their customers. The de-identified transaction data used to support their analytics and insights is based on diverse and dynamic sets of data from the Envestnet | Yodlee data aggregation platform.
Envestnet | Yodlee provides our services to our clients under contracts that impose robust obligations for security, privacy, compliance, and risk management. In addition, clients have the right to receive our independent audits and assessments, as well as conduct their own assessments of the security and operations of the Envestnet | Yodlee Platform. We welcome this level of scrutiny as it makes us better.
We understand that our clients and consumers may have questions about Envestnet | Yodlee and how we process consumer information to help our clients provide services to help consumers. We are committed to processing consumer information as described below.
Envestnet | Yodlee Is Consumer Driven
Envestnet | Yodlee is a technology services provider to our business clients. Our clients act at the direction of consumers to collect, use, transmit, and store the consumers’ financial information with Envestnet | Yodlee. It is therefore our clients’ terms of service and privacy representations that define their legal relationship with consumers and form the basis of the instructions they give us to operate on consumers’ behalf.
Envestnet | Yodlee Protects Consumer Data
Envestnet | Yodlee has comprehensive programs for security, privacy, risk, and compliance. These programs adhere to relevant financial industry standards and are overseen by an independent, dedicated team of security and risk practitioners. Envestnet | Yodlee uses commercially available security products and technologies, including hardware and software data encryption, as part of our multi-layer defense in-depth security architecture, as well as continuous monitoring by our 24×7 Security Operations Center to protect consumers’ confidential information.
We regularly engage independent third-party security auditors to assess and test the Envestnet | Yodlee security architecture and our programs. Most of Envestnet | Yodlee’s financial institution clients also conduct their own comprehensive audits. Envestnet | Yodlee is examined by the U.S. Federal Banking Agencies, per the Bank Service Company Act, for the services provided to U.S. financial institutions. That same Financial Data Platform is leveraged for all Envestnet | Yodlee-connected services, so consumers benefit from the full breadth and rigor of Envestnet | Yodlee’s risk management programs. In addition, Envestnet | Yodlee has undergone nearly 200 audits by financial institutions in the most recent 24-month period.
Envestnet | Yodlee Protects Consumer Identity
Protecting the personal information of consumers who use Envestnet | Yodlee-connected products and services is a top priority. Envestnet | Yodlee employs reasonable data de-identification practices to protect the identity of consumers. This means that Envestnet | Yodlee removes all known direct and indirect personal identifiers from its analytics and market research data sets. Envestnet | Yodlee’s de-identification process for these data sets is reviewed through internal audits and is reviewed by leading third party security and privacy experts.
Envestnet | Yodlee Designs Its Services To Comply with Regulations and Standards
As a global organization engaged in the financial services market, the Envestnet | Yodlee security program is aligned with and assessed against applicable international standards, such as the ISO27002 Information Security Management Standard and the PCI-DSS Payment Card Security Standard, as well as the relevant prudential banking, consumer protection and privacy regulations of the regions in which we operate. Envestnet | Yodlee provides the results of these assessments to its clients to assure that Envestnet | Yodlee is meeting their expectations, so that they can meet consumers’ expectations. In addition to these global standards, our security and privacy programs follow internationally recognized principles and are aligned with the following:
United States
Envestnet | Yodlee adheres to the FFIEC IT Examination guidelines as applicable to a Technology Services Provider to US chartered financial institutions. We support and endorse principles for consumer-permissioned aggregation published by the Consumer Financial Protection Board and the Center for Financial Services Innovation. Envestnet | Yodlee also adheres to NACHA requirements for our payment services.
Europe
Envestnet | Yodlee is a data processor to our clients, who are data controllers under the General Data Protection Regulation (GDPR). Envestnet | Yodlee has implemented technical and organizational safeguards to ensure that the personal data of consumers are protected and that, through the data controller, consumers have all necessary rights over their data.
Envestnet | Yodlee’s privacy program has been consistently verified by an independent third party under the legacy US-EU Safe Harbor, US-Swiss Safe Harbor and now the EU and Swiss Privacy Shield Framework. You can find more information about Envestnet | Yodlee’s participation in the Privacy Shield Framework in our Privacy Policy. Envestnet | Yodlee executes EU Standard Contract Clauses with clients who desire that additional level of assurance. The Envestnet | Yodlee Financial Data Platform and the processes that we use to develop, deliver, and support our services have safeguards and governance overseen by an independent security, privacy, risk, and compliance function, as well as receives regular certification by independent assessors and clients.
As a data processor, we support our clients by powering their solutions and protecting their customers following GDPR’s tenants:
Communications
Consumers should know what data is collected, with whom it is shared, where it’s stored and for how long. Using Envestnet | Yodlee’s APIs, our clients manage this data collection and storage though-out their customer journey. We also provide our clients with transparent access to the information they need to communicate with consumers about Envestnet | Yodlee’s processing.
Access & Portability
Using our Services, clients can allow their customers to access and download their data consistent with applicable law.
Warnings and Breach Notifications
Our contract with our clients requires that we notify them of a data breach or any unauthorized access to their customers’ data. We have robust security incident detection and management programs that meet rigorous financial industry standards.
Marketing
We do not market to our clients’ customers.
Profiling
If the Envestnet | Yodlee’s Services are used for processing applications for loans or making other decisions or advice, we have additional safeguards and governance controls to support compliance requirements.
Safeguards
Envestnet | Yodlee maintains bank-grade security safeguards for our Platform to protect consumers’ data from external and internal threats.
Data Transfer
For EU Clients who deploy in Envestnet | Yodlee’s US data centres, we are Privacy Shield certified and these clients may request Controller-to-Processor Standard Contract Clauses.
Right to be Forgotten
Consumers’ information may be updated or deleted using Envestnet | Yodlee’s APIs from within the application or as separate administrative functions. As the data controller, consumers’ personal data is fully under the client’s control.
Canada
Protecting the personal information of Canadian consumers who use Envestnet | Yodlee products and services provided by their financial institutions and other entities is a top priority at Yodlee. We understand the importance of protecting the personal information of Canadian consumers and we work with our clients to ensure we handle personal information in a responsible and transparent manner. To gain and maintain consumers’ trust and confidence, we embrace the ten Fair Information Principles attached to the Personal Information Protection and Electronic Documents Act (PIPEDA).
Accountability
Should consumers have any inquiries regarding the safeguarding and protection of personal information, consumers should contact the provider of the Envestnet | Yodlee-connected service or Envestnet | Yodlee Customer Care.
Identifying the purposes for collecting, using and sharing personal information
In order to use Envestnet | Yodlee-connected services, a consumer must link the financial accounts whose data the consumer wishes to provide to the service provider. We will collect the consumer’s usernames and password in order to access these accounts on the consumer’s behalf and provide the data to the service provider. We will use a consumer’s credentials and the data we retrieve on the consumer’s behalf to provide our services to the service provider. As with most online businesses, Envestnet | Yodlee logs information about consumers’ access and use of the Envestnet | Yodlee Platform.
Consent
Organizations using the Envestnet | Yodlee Financial Data Platform are required to have obtained a consumer’s permission to collect, use, transmit, and store the consumer’s financial information with Envestnet | Yodlee. This information often includes data such as credentials, account numbers, portfolio holdings, credit card data, transactions, and balances.
Envestnet | Yodlee reserves the right to share aggregated or de-identified information with third parties in. This means that data utilized in Envestnet | Yodlee analytics and market research data sets are de-identified of individually identifiable information.
Limiting Collection
Each provider of an Envestnet | Yodlee-connected service instructs us to access and provide the data they need, and that consumers have authorized, for their solution. Envestnet | Yodlee complies with these instructions to only access, store and provide that data.
Limiting Use, Disclosure, and Retention
In connection with a consumer’s use of an Envestnet | Yodlee-connected service, Envestnet | Yodlee will collect and retain the consumer’s personal information, both the information provided directly and the information we obtain from third party sites, for as long as the consumer is an active user of that Envestnet | Yodlee-connected service or until we receive instructions from our client. Should a consumer decide to cancel the use of the Envestnet | Yodlee-connected service, we will discontinue the collection of information from third party sites on the consumer’s behalf.
We reserve the right to retain the information collected up to the date of cancellation of the Envestnet | Yodlee-connected service. This data will always be maintained under the same security and privacy controls that are in place for active users. We will retain and use consumer information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Accuracy
The information we have about consumers is provided by our clients or obtained from the third party sites from which consumers authorize us to collect their data. Therefore consumers must provide accurate information to these parties to enable us to operate on their behalf. To change this information and other personal information from third party providers, consumes will need to follow the procedures set forth by the third-party providers themselves.
Safeguards
At Envestnet | Yodlee, the security of your personal information is important to us.
We understand the need for our customers’ personal data to be completely secure and private, and we have designed and deployed (as a part of the Envestnet | Yodlee Services) a state-of-the-art system to protect our customer’s’ personal information. Envestnet | Yodlee maintains physical, electronic, and procedural safeguards that comply with federal standards to guard your personal information held by Envestnet | Yodlee relative to the Envestnet | Yodlee Services.
When you entrust your credentials to us, we encrypt that information using strong encryption and store them in our databases. The Envestnet | Yodlee databases are logically and physically protected at a secure, third party site and are monitored by security personnel twenty-four hours a day.
Openness
Transparency is not only a requirement of Canada’s privacy principles, it’s necessary to maintain the trust of our clients and for our clients to maintain the trust of their customers. Each provider of Envestnet | Yodlee-connected services has been provided with comprehensive documentation about our security, privacy, and compliance programs and conducts their own assessments to ensure we are meeting their, and consumers’, expectations. We engage with regulators and industry to promote good practices for consumer protection and data security.
Individual Access
When a service provider enables a consumer’s Envestnet | Yodlee-connected services, they register the consumer using a generic user ID (GUID) that is only meaningful to them. For this reason, we cannot readily identify a consumer in our database to provide the consumer with direct access to the information we have about them. Therefore, each consumer should work with their service provider for any such requests and we will work the service provider to provide this information. If that is not possible, consumers should contact Envestnet | Yodlee Customer Care.
Challenging Compliance
Envestnet | Yodlee has clear procedures in place to receive and respond to complaints or inquiries about our practices relating to the handling of personal information. Consumers should contact their provider of Envestnet Yodlee-connected services or contact Envestnet | Yodlee Customer Care with any questions or concerns.
Australia
Envestnet | Yodlee adheres to applicable aspects of the Australian Privacy Principles in our role as a service provider to our clients.
South Africa
Envestnet | Yodlee adheres to applicable aspects of the Protection of Personal Information regulation in our role as a service provider to our clients.
India
Envestnet | Yodlee adheres to applicable aspects of The Privacy Act in our role as a service provider to our clients.