How YPA Finance Keeps Your Money Data Safe — And How We Built It That Way
Most apps say your security is their priority. Here's what that actually means in practice — the architecture, the partners, the standards, and the decisions we made before we wrote a single line of product code.
Svetlana Burninova
CTO & Co-Founder
Security is one of those words that gets thrown around so much it stops meaning anything. Every finance app says they take it seriously. Almost none of them explain what that actually looks like under the hood.
So I'm going to do something different. I'm going to tell you exactly how we built the security infrastructure of YPA Finance — the encryption standards we use, the partners we chose and why, the things we never store, and where we are on our compliance journey. The specifics, not the talking points.
If you've already read my piece on connecting your bank account to a finance app, this goes one layer deeper.
Security wasn't added later. It was the starting point.
I've seen what happens when startups bolt security on after the fact. It shows up in their architecture, their data model, their incident response. You can tell.
When we designed YPA Finance, we made a decision early: we would not store anything we didn't absolutely need to. Not your bank credentials. Not your Social Security Number. Not your payment card numbers. If we don't hold the data, it can't be stolen from us. That's not a philosophy statement — it's an architectural constraint we built the entire product around.
That one decision ended up driving pretty much everything else — who we partnered with, how we structured our data model, what we agreed we'd never touch.
The encryption layer: AES-256 and TLS 1.3
Every byte of your financial data in YPA Finance is encrypted with AES-256 at rest. In transit, we use TLS 1.3 — the same standard used by major U.S. financial institutions.
AES-256 means that even if someone somehow extracted raw data from our servers, they'd have an encrypted blob that would take longer to brute-force than the age of the universe. TLS 1.3 means that data moving between your phone and our servers can't be intercepted in a readable form.
I want to be specific here because this is exactly the kind of detail most apps leave vague. These are not marketing claims — they're standards you either meet or you don't. We meet them.
The partners we chose — and why we chose them
I've written separately about how bank connections actually work, so I won't repeat the full explanation here. The short version: we use Plaid for bank connections, Equifax via Array for credit data, and Stripe for payments. In each case, the choice came down to one thing — we didn't want to handle data we had no business handling.
We never see your bank password. We never see your card number. We never see or store your Social Security Number or ITIN. Each of those goes through a regulated, purpose-built provider that is specifically designed to handle it safely.
The engineering decision behind that isn't just "use good partners." It's that our data model was deliberately constrained — we architected around what we would never hold, not just around what we would. That constraint then determined which partners we could even use. Plaid's OAuth model, Array's identity verification flow, Stripe's payment processing — all of them are compatible with a system that refuses to be in the loop for sensitive credentials.
The infrastructure: Google Cloud, hardened from day one
YPA Finance runs on Google Cloud Platform. Our infrastructure is managed with Terraform — meaning every change to our systems is version-controlled, auditable, and reviewed before it goes anywhere near production.
We use a Web Application Firewall for API protection, with rate limiting to block brute-force and scanning attempts. Real-time monitoring means that if something unusual happens, we know before you do.
Every request to our systems — whether it comes from a user or from an internal service — has to be authenticated and authorized. Nothing inside the system is assumed to be trusted by default.
SOC 2: where we are and where we're going
I want to be honest about this, because I've seen other companies imply they're SOC 2 certified when they're not.
We are not yet SOC 2 Type II certified. We are working toward it. Our controls are designed and implemented to SOC 2 standards — role-based access controls, comprehensive audit logging, regular penetration testing, third-party security reviews.
Why mention it at all if it's not done? Because I think you deserve to know where we actually stand, not where we'd like you to think we stand. The controls are real. The certification process takes time. We're in it.
The five things we will never do
What to do right now
If you're already using YPA Finance: you can review what data you've shared at any time in the app. You can disconnect your bank account in two taps. You can email us at security@ypa.finance with any specific question about your data, and a human will respond.
If you're considering YPA Finance: read our Security page before you connect anything. Apply the same checklist to every finance app you use. Any app worth trusting should be able to answer every question on that page.
Trust in fintech isn't built on promises. It's built on decisions that are either true or not — made before anyone was watching, because the alternative isn't acceptable. That's what we tried to build.
---
Svetlana Burninova is Co-Founder and CTO of YPA Finance, with 15 years in financial systems and 7 years in infrastructure. She holds AWS, CKA, CKAD, and HashiCorp Terraform certifications. Questions about our security practices? Reach her at security@ypa.finance.