Mazi Bahadori is the CCO and EVP of Operations at Altruist. He is a seasoned veteran in financial technology, having previously served as the CCO and Director of Operations for Aspiration. Prior to this, he worked for PIMCO as VP of Legal & Compliance, Morgan Stanley as a financial advisor, and Goldman Sachs as a government affairs associate.
At Altruist, we take extensive precautions to secure client information. This article explains the data, infrastructure, and employee-focused safeguards we use to protect tens of thousands of clients against bad actors.
Keeping personal information and passwords safe
We encrypt all Personal Identifiable Information (i.e. anything someone could use to identify an individual) with Advanced Encryption Standard 256. Encryption is the process of encoding information or data in such a way that only authorized parties can access and understand it, ensuring confidentiality and security. AES 256 is the standard for highly regulated industries because it is virtually uncrackable without the decryption key.
Every Altruist application is encrypted separately and has a unique decryption key managed by one of the leading third-party enterprise infrastructure security solutions. This method ensures that no employee has direct access to decryption keys and that connecting data across applications requires multiple levels of authorization.
When decryption is required, it’s documented with an audit trail that captures exactly who is doing what, and when.
Unlike Personal Identifiable Information, which can be decrypted with a key, passwords are hashed. A hash is a one-way security function that cannot be reversed, making it impossible for anyone — hackers or employees — to expose client passwords. Password hashing is an area where Altruist exceeds industry standards.
Securing infrastructure from top to bottom
For data storage, we partner with cloud provider Amazon Web Services (AWS). All data stored with AWS (data “at rest”) is encrypted with AES 256. When we call data with our applications and APIs (data “in motion”), we also utilize AES 256 encryption to ensure its protection during transfer.
To protect our web application, one of the critical interfaces for data manipulation and temporary data storage, we employ a Web Application Firewall. This firewall acts as a filter for all requests, flagging suspicious activity (for example, someone attempting to log in more than 3 times per second). We don’t process any actions unless they successfully pass through the firewall.
Minimizing employee vulnerabilities
Cybercriminals use employee-directed attacks like phishing to evade technical defenses by exploiting human error. To mitigate these risks, Altruist uses Mobile Device Management software to remotely lock and control employee machines in the event of a takeover. Employee devices are further secured with robust anti-virus and anti-malware software, and employees regularly complete mandatory security training to help identify and report these threats.
Regular audits from third-party authorities
We are SOC-2 compliant. SOC-2 compliance is a voluntary compliance standard for companies handling sensitive customer information. The standard requires evaluation across security, availability, processing integrity, confidentiality, and privacy. We maintain our SOC-2 compliance status through regular audits from the leading independent third-party auditor, Schellman (trusted by publicly traded companies like Box, VMware, and Avaya).
Our security philosophy
Making financial advice better, more affordable, and accessible to everyone starts with robust security. It is the bedrock of our services. And while it’s impossible to eliminate bad actors, our team of experts helps Altruist stay ahead of evolving attacks with constant stress testing and a vigilant approach to client data protection.
The systems we use to shield against data, infrastructure, and employee-directed threats, alongside our successful history of independent audits, give confidence and peace of mind to advisors and clients alike.
