We truly understand that Kubera is storing your sensitive data and protecting it is our highest priority.
These are answers to some of the questions you may have in mind right now.
If you have more questions, just email us at email@example.com. We are happy to answer them.
No. Kubera DOES NOT have your banking or crypto account credentials.
Kubera uses third party financial account aggregator services - Plaid, Yodlee, Salt Edge & Zabo - to connect to your accounts. Your banking credentials are directly sent to the respective service from your browser. Kubera servers will never see your credentials. Plaid, Yodlee, Salt Edge & Zabo provide a read-only interface to Kubera; therefore Kubera cannot make any transactions on your behalf.
The data in Kubera is encrypted at-rest and in-transit.
It’s NOT end-to-end encrypted.
When you think of online security the first thing that comes to your mind is encryption. You may have also heard of ‘end-to-end encryption’ as the gold standard for security.
What is end-to-end encryption?
End-to-end encryption makes the data encrypted or unreadable by the very service or the app you used to create it, because the app simply doesn't hold the keys to decrypt it. It’s only readable by the user who holds the key to decrypt it and no one else.
Your data in Kubera is NOT end-to-end encrypted, because it will not allow Kubera to deliver on one of the fundamental promises of the service - ensuring safe transfer of your data to your beneficiary as simple Excel and Zip files. Even though we can’t do end-to-end, your data in Kubera is indeed encrypted at-rest and in-transit.
What are at-rest and in-transit encryption?
At-rest encryption: All our databases and files storage in Amazon (AWS) servers have their content encrypted while sitting idle and when they’re backed up. This protects against unauthorized copying, transfer or retrieval of user data from our servers. Even if someone was somehow able to get hold of a backup of the database, it’d be useless, because they wouldn’t have the key to decrypt it.
In-transit: Your data when in transit from ours servers to your browser requires HTTPS on all pages, and uses HSTS to ensure browsers only ever connect to us over a secure connection.
First of all, we don't store any of your banking credentials (See the answer to the question: Does Kubera have access to my online bank and crypto account?). If Kubera servers were to be breached, your banking credentials are totally safe.
Secondly, all your data in Kubera is encrypted at rest on Amazon servers. So, even if someone hacks in and gets hold of a backup of the database, it’d be useless, because they wouldn’t have the key to decrypt it.
Kubera uses HTTPS on all pages, and HSTS to ensure browsers only ever connect to us over a secure connection. So, someone hacking into your data on transit is less likely.
The answer is yes and no.
Yes - technically the database administrators have access to the encryption keys, as there is no end-to-end encryption.
No - Our internal tools mask all personally identifiable information that our operations staff sees.
It still means that ultimately someone at Kubera could access your personal data. Data is unmasked strictly on a need-to-know basis. Only the people who need access to improve or operate the system can unmask and access data. And when they do their routine maintenance, debugging, or servicing of the system, they’re required to state the valid consent or justification for the specific access session. We maintain an audit trail for all data access sessions and review them periodically. We do background checks for all employees who have access to sensitive data. If an employee ever wrongly accesses customer data through this system, they will be caught, and will face penalties ranging from termination to prosecution.
Most importantly, our business is not dependent on humans peeking at your data and offering to "manage" your wealth.
But just to be on the safer side, you should not store any information that’s highly risky when fallen into the wrong hands. Please don’t store any password, credit card numbers, crypto wallet private keys in Kubera in order to transfer it to the beneficiary. It’s not safe. You should store only enough information or documents that would help you and your legal heir to know about them and claim your property.
If your data sharing needs requires end-to-end encryption, don’t use Kubera. We highly recommend you to look at Password Managers like LastPass and 1Password. But they come with their own complexities. E.g. the person who you want to share the information with, should also be savvy enough to be a user of the same Password Manager.
Kubera NEVER sells your data.
Kubera is funded solely by your subscription fee.
In some specific instances when data is shared with 3rd parties (mostly for analytics), Kubera makes sure they don’t sell it either.
When you delete your account, we delete all your data from our primary database immediately and notify our aggregators to stop connecting your account and delete everything from their end.
We keep rotating backups for 30 days. Your data will be removed from the backup in the next backup purge cycle.
We’re engaging with external security firms to review our application security. We are committing to work with renowned security experts to audit our internal and external security practices on a regular basis.
If you believe you've found a security issue in our product or service, we encourage you to let us know at firstname.lastname@example.org. Here's our Vulnerability Disclosure Program.
The simplest, quickest and safest way to sign up to Kubera is by using your Google ID. If you already have Two-factor authentication (2FA) set for your Google account, you are all set.
If you have signed up by creating a new Kubera username and password, currently you won't be able to enable 2FA. We are working on it.
Two-factor authentication adds an extra layer of security for your Kubera account - instead of only entering a password to log in, you’ll also enter a code (OTP), you typically receive on your phone. You can also use a TOTP authenticator app like Microsoft Authenticator, Google Authenticator, Authy to get your OTP. So, even if someone steals your password, they won't be able to access your account unless they also get hold of your phone and enter the OTP.