Data Security at Coconut

A deep dive into our security practices here at Coconut.

Updated over a week ago

At Coconut the security of our customers’ personal data is a top priority for our team and for our banking partner. We strive to take a secure by design approach so that security thinking is at the heart of everything we do.

We are happy to provide detailed information on our security measures so that customers feel well informed and confident in Coconut’s approach to security. If you have questions, comments or suggestions about security we’d love to hear from you at [email protected].

Infrastructure security

  • Cloud native: Like many modern services we are cloud native. This means that we do not rely on or manage physical servers on our premises but instead use cloud computing services provided by the leading cloud infrastructure vendor – Amazon Web Services (AWS) to run our service. This frees us from a great deal of operational overhead that allows us to focus on building features and services for our customers. For those interested in AWS security, we encourage you to find out more.

  • Strong security standards: Our servers only support the latest, most secure security standards and disable those that are old or vulnerable to attack

  • Authorised access: We only allow access to parts of our platform from known internet addresses and identity providers thereby reducing our attack surface significantly

  • Smart intrusion detection: We leverage AWS’ advanced intrusion detection service to monitor unauthorised attempts to access our infrastructure

  • Anti DDoS: we use CloudFlare to help defend our platform against distributed denial of service (DDos) attacks

App security

The Coconut app features a number of security measures:

  • 3-factor login: login requires 3 pieces of information; mobile number, a private code a follow up one-time code sent via an SMS – this means login requires something you have as well as something you know making login harder to attack

  • Time-limited login: a login provides access for a time limited period that we hope is not disruptive, but we do require login from time to time which helps as a backstop to ensure the app is being used by the customer

  • Anti-brute force login: it is not possible for an attacker to continually try to login; doing so will lock the attacker out

  • SSL pinning: we ensure that our app only communicates with our servers preventing so-called “man in the middle” attacks, such as which may be possible if your phone connects to an untrusted WiFi network

  • Database encryption: data within the app is stored in an encrypted database

  • Device restriction: customers may login to multiple devices but only by authorising them through proof of identity

Data security

  • Data encryption: we take every opportunity to encrypt your data, whether that be within our cloud database (also using rotating encryption keys), within the app database or when data is exchanged over the internet between the App and our servers

  • Password hashing: we use bcrypt to hash passwords securely meaning they are never stored in plain text form in our database

Other things to know

  • Security testing: We regularly engage 3rd party security companies to conduct  security testing on our platform to help us stay ahead of the latest thinking in security

  • Data backups: We regularly backup customer data allowing us to restore our service in the event of any system failure

  • GDPR: Coconut comply with the General Data Protection Regulation 2018 which governs how we collect and process your personal data. More information be found in our Privacy Policy

Did this answer your question?