Security Overview

We truly understand that Kubera is storing your sensitive data and protecting it is our highest priority.

These are answers to some of the questions you may have in mind right now.
If you have more questions, just email us at hello@kubera.com. We are happy to answer them.

Kubera DOES NOT have your banking or crypto account credentials.

keyboard_arrow_down

Kubera uses third party financial account aggregator services – Plaid, Mastercard, Yodlee, SnapTrade, Lean, Akahu and Salt Edge - to connect to your bank and brokerage accounts. Your banking credentials are directly sent to the respective service from your browser. Kubera servers will never see your credentials. Mastercard, Plaid, Yodlee, SnapTrade, Lean, Akahu and Salt Edge provide a read-only interface to Kubera; therefore Kubera cannot make any transactions on your behalf.

For Crypto exchanges and wallets your account credentials are entered directly on the respective service's official oAuth pages. Connections that require API key and Secret key/Passphrase or a combination of these, Kubera only requires read-only permissions. For certain wallets like Bitcoin, Ethereum, Ripple, Doge, etc., we only need the Blockchain Address.

Is my data encrypted?

keyboard_arrow_down

The data in Kubera is encrypted at-rest and in-transit
It’s NOT end-to-end encrypted.

Long answer: 

When you think of online security the first thing that comes to your mind is encryption. You may have also heard of ‘end-to-end encryption’ as the gold standard for security. 

What is end-to-end encryption? 
End-to-end encryption makes the data encrypted or unreadable by the very service or the app you used to create it, because the app simply doesn't hold the keys to decrypt it. It’s only readable by the user who holds the key to decrypt it and no one else.

Your data in Kubera is NOT end-to-end encrypted, because it will not allow Kubera to deliver several fundamental features of the service, e.g, background syncing, ensuring safe transfer of your data to your beneficiary as simple Excel and Zip files and many more. Even though we can’t do end-to-end encryption, your data in Kubera is indeed encrypted at-rest and in-transit.

What are at-rest and in-transit encryption?
At-rest encryption: All our databases and files storage in Amazon (AWS) servers have their content encrypted while sitting idle and when they’re backed up. This protects against unauthorized copying, transfer or retrieval of user data from our servers. Even if someone was somehow able to get hold of a backup of the database, it’d be useless, because they wouldn’t have the key to decrypt it.

In-transit: Your data when in transit from ours servers to your browser requires HTTPS on all pages, and uses HSTS to ensure browsers only ever connect to us over a secure connection.

What happens if Kubera servers are breached?

keyboard_arrow_down

First of all, we don't store any of your banking credentials (See the answer to the question: Does Kubera have access to my online bank and crypto account?). If Kubera servers were to be breached, your banking credentials are totally safe.

Secondly, all your data in Kubera is encrypted at rest on Amazon servers. So, even if someone hacks in and gets hold of a backup of the database, it’d be useless, because they wouldn’t have the key to decrypt it.

Kubera uses HTTPS on all pages, and HSTS to ensure browsers only ever connect to us over a secure connection. So, someone hacking into your data on transit is less likely.

Can Kubera employees see my data?

keyboard_arrow_down

TL;DR: Our support team can see some user data required for debugging and customer support. Our CTO has the decryption keys to access the user data during the routine maintenance, debugging, and servicing of the system. Their access is logged and requires approval by our compliance team.

Long Answer:

Our internal tools mask all personally identifiable information that our support staff sees. Technically the database administrators have access to the encryption keys, however our employment agreements make it legally binding for any such employee with access to the keys to not decrypt or unmask user data. Additionally, we have a strict two-factor authentication (2FA) system in place to prevent hacking of admin accounts.

However, it is important to acknowledge that ultimately, someone at Kubera could access your personal data, but only under specific circumstances. Data is unmasked strictly on a need-to-know basis. Only the people who need access to improve or operate the system can unmask and access data. When they do perform routine maintenance, debugging, or servicing of the system, they're required to provide a valid reason and obtain approval for the specific access session. We maintain an audit trail for all data access sessions and review them periodically. We conduct background checks for all employees who have access to sensitive data. If an employee ever wrongly accesses customer data through this system, they will be caught and will face penalties ranging from termination to prosecution.

Use Kubera safely. Don't store highly sensitive information.

keyboard_arrow_down

Just to be on the safer side, you should not store any information in Kubera that’s highly risky when fallen into the wrong hands. Please don’t store any password, credit card numbers, crypto wallet private keys in Kubera in order to transfer it to the beneficiary. You should store only enough information or documents that would help you track your wealth and for your legal heir to know and claim your property.

If your data sharing needs requires end-to-end encryption, don’t use Kubera. We highly recommend you to look at Password Managers like 1Password.

Enable Two-Factor Authentication

keyboard_arrow_down

The simplest and quickest way to sign up to Kubera is by using your Google ID. If you already have Two-factor authentication (2FA) set for your Google account, you are all set.

If you have signed up by creating a Kubera username and password, it's recommended that you enable 2FA for your account. Go to Settings > Security > Two-Factor Authentication to set it up.

2FA adds an extra layer of security for your Kubera account. Instead of only entering a password to log in, you’ll also enter a verification code (OTP). You can use a TOTP authenticator app like Microsoft Authenticator, Google Authenticator, Authy to get your OTP. So, even if someone steals your password, they won't be able to access your account unless they also get hold of your phone and enter the OTP.

Does Kubera sell my data?

keyboard_arrow_down

Kubera NEVER sells your data.

By design, our business model is “privacy-friendly”. We make money by charging you a subscription. So, we don’t have any business motivation to sell your data to 3rd parties or for advertising. We totally understand that we are storing your sensitive data and protecting it is our highest priority.

In some specific instances when data is shared with 3rd parties (mostly for analytics), Kubera makes sure they don’t sell it either.

If I delete my data - is it really deleted or can it be restored from backup?

keyboard_arrow_down

When you delete your account, we delete all your data from our primary database immediately and notify our aggregators to stop connecting your account and delete everything from their end.

We keep rotating backups for 30 days. Your data will be removed from the backup in the next backup purge cycle.

We’re conducting external security audits

keyboard_arrow_down

We’re engaging with external security firms to review our application security. We are committing to work with renowned security experts to audit our internal and external security practices on a regular basis. 

If you believe you've found a security issue in our product or service, we encourage you to let us know at hello@kubera.com. Here's our Vulnerability Disclosure Program.