Plaid Security Explained

Balance uses Plaid to connect to your bank accounts. This guide explains what Plaid is, how it works, and why it’s secure.

What is Plaid?

Plaid is a financial technology company that provides secure connections between apps like Balance and your bank accounts.

Key Facts

• Industry Leader - Powers over 8,000 financial apps
• Trusted by Millions - Used by Venmo, Robinhood, Betterment, Acorns, and more
• Bank-Level Security - Same encryption standards as banks
• Read-Only Access - Cannot move money or modify accounts
• Regulated - Subject to financial industry regulations

Think of Plaid as: A secure bridge between Balance and your bank that lets us see your transactions without ever accessing your banking password.

How Plaid Works

The Connection Process

1. You click “Connect Bank” in Balance
2. Redirected to Plaid - Opens Plaid’s secure interface
3. Search for your bank - Find your financial institution
4. Enter credentials - On your bank’s actual login page
5. Bank authenticates - Verifies your identity
6. Grant permission - Approve Balance to view transactions
7. Secure token created - Plaid creates a read-only access token
8. Connection established - Balance can now fetch your transactions

Important: You’re logging into your actual bank, not a copy or simulation.

Behind the Scenes

Once connected, here’s what happens:

Secure token:

• Plaid creates an encrypted access token
• Token allows read-only access to specified data
• Token is specific to Balance and cannot be used elsewhere
• Token can be revoked anytime

Data flow:

1. Plaid requests transaction data from your bank
2. Bank provides data through secure API
3. Plaid processes and standardizes the data
4. Balance receives only transaction information
5. You see your transactions in Balance

What Plaid Can Access

Read-Only Access

Plaid and Balance can ONLY:

• ✅ View transactions - See purchase history
• ✅ Check balances - See account balances
• ✅ Read account names - Get account details
• ✅ See account types - Checking, savings, credit, etc.
• ✅ View pending transactions - On some banks
• ✅ Access routing numbers - Public information

What Plaid CANNOT Do

Plaid and Balance CANNOT:

• ❌ Transfer money - Cannot move funds
• ❌ Pay bills - Cannot initiate payments
• ❌ Change passwords - Cannot modify login credentials
• ❌ Update account info - Cannot change bank settings
• ❌ Close accounts - Cannot modify account status
• ❌ Access other features - Cannot use other bank functions
• ❌ See credit card numbers - Only masked/partial numbers
• ❌ View your PIN - Never have access to PINs

This is READ-ONLY access - like a view-only mode that cannot make any changes.

Plaid’s Security Measures

Encryption

Data in transit:

• TLS 1.2+ - Latest transport security
• 256-bit encryption - Bank-level encryption
• Certificate pinning - Prevents interception
• Encrypted connections - All data transfer encrypted

Data at rest:

• AES-256 encryption - Military-grade encryption
• Encrypted storage - All stored data encrypted
• Secure key management - Encryption keys protected separately

Infrastructure Security

Hosting:

• AWS cloud - Amazon Web Services
• SOC 2 Type II certified - Security audited
• Multiple availability zones - Redundant systems
• 24/7 monitoring - Always watching for threats

Access control:

• Role-based permissions - Staff have minimal necessary access
• Multi-factor authentication - Required for internal access
• Audit logs - All access tracked
• Background checks - For employees with data access

Authentication

Bank login:

• Bank’s actual site - You log in through bank’s real system
• Credential storage - Encrypted with bank-specific keys
• Tokenization - Banking credentials converted to secure tokens
• Regular rotation - Tokens refreshed periodically

Multi-factor authentication:

• Supported - Works with bank MFA
• SMS codes - Handles verification codes
• Security questions - Supports additional verification
• Push notifications - Works with bank app approvals

Privacy Protections

Your Banking Password

Balance never sees your password:

• You enter it on Plaid’s interface
• Plaid securely stores it (encrypted)
• Balance only gets an access token
• Your password stays with Plaid

Why this matters:

• If Balance gets hacked, your bank password is safe
• Balance employees cannot see your bank password
• Password breaches in Balance don’t affect bank security

Data Minimization

Plaid only shares what Balance needs:

Balance receives:

• Transaction dates
• Merchant names
• Transaction amounts
• Account balances
• Account names and types

Balance does NOT receive:

• Full credit card numbers
• CVV codes
• Bank passwords or PINs
• Security question answers
• Your social security number
• Unrelated personal data from bank

Data Retention

Plaid’s data retention:

• Active connections - Data retained while connection active
• Disconnected - Most data deleted after disconnection
• Required data - Some data retained for fraud prevention
• Compliance - Legal requirements may require retention

Deleting your data:

1. Disconnect bank accounts in Balance
2. Delete your Balance account
3. Contact Plaid directly to request deletion: privacy@plaid.com
4. Data removed from active systems
5. Purged from backups within 90 days

Plaid vs Direct Bank Connection

Why Use Plaid Instead of Direct Connection?

Security benefits:

• No password sharing - Balance never sees your password
• Standardized security - One secure system vs many
• Dedicated security team - Plaid’s entire focus is security
• Regular audits - Third-party security verification
• Faster updates - Security patches applied quickly

Technical benefits:

• Works with 12,000+ institutions - Nearly all US banks
• Handles bank changes - Plaid updates when banks change
• Error handling - Better error messages
• Consistent experience - Same process for all banks
• Maintained connections - Automatic reconnection when needed

Privacy benefits:

• Separation - Balance and bank credentials kept separate
• Revocable - Easy to disconnect
• Auditable - Clear what data is accessed

Direct Connection Risks

Without Plaid, we would need to:

• Ask for your banking password directly
• Store your bank credentials ourselves
• Maintain connections to thousands of banks
• Update integrations when banks change
• Handle bank-specific security individually

This would be LESS secure because:

• More password storage points
• More attack surface area
• Harder to maintain security across banks
• Passwords could be compromised if Balance breached

Companies That Use Plaid

Plaid is trusted by major financial apps:

Consumer Apps

• Venmo - P2P payments
• Acorns - Investment app
• Betterment - Robo-advisor
• Chime - Mobile banking
• Robinhood - Stock trading
• Cash App - Money transfer
• Coinbase - Cryptocurrency
• Dave - Banking app
• Digit - Savings app

Business Apps

• QuickBooks - Accounting
• Expensify - Expense tracking
• Gusto - Payroll
• Square - Payments
• Xero - Business accounting

If you use any of these apps, you’re already using Plaid!

Compliance & Regulations

Plaid complies with:

• SOC 2 Type II - Security controls audited
• GDPR - European data protection
• CCPA - California privacy law
• ISO 27001 - Information security standard
• Banking regulations - Subject to financial oversight

Regular audits:

• External security assessments
• Penetration testing
• Compliance reviews
• Third-party certifications

Common Questions

Q: Is Plaid safe to use?
A: Yes. Plaid uses bank-level security, is used by major financial apps, and is trusted by millions. It’s generally safer than giving your bank password directly to apps.

Q: Can Plaid steal my money?
A: No. Plaid only has read-only access. They cannot transfer money, pay bills, or modify your accounts in any way.

Q: What if Plaid gets hacked?
A: Plaid has extensive security measures to prevent breaches. If a breach occurred, your banking password is encrypted and the access tokens could be revoked. Banks would also be notified.

Q: Does Plaid sell my data?
A: No. Plaid does not sell personal financial data to third parties. They may use aggregated, anonymized data for research, but not personally identifiable information.

Q: Can I revoke Plaid’s access?
A: Yes. Disconnect your bank accounts in Balance, or contact Plaid directly. You can also revoke access through your bank if they provide that option.

Q: How does Plaid handle my bank’s two-factor authentication?
A: Plaid works with all major forms of two-factor authentication including SMS codes, email codes, security questions, and push notifications to bank apps.

Q: Will using Plaid affect my credit score?
A: No. Plaid’s access is read-only and does not perform credit checks or report to credit bureaus.

Q: Is Plaid FDIC insured?
A: Plaid is not a bank and doesn’t hold your money, so FDIC insurance doesn’t apply. Your money remains in your bank account, which is FDIC insured by your bank.

Q: Can my bank see that I’m using Plaid?
A: Your bank can see third-party connections. They know a service has read-only access, but specific details vary by bank.

Q: What if my bank doesn’t support Plaid?
A: Plaid works with 12,000+ US financial institutions. If your bank isn’t supported, you can request Plaid add it, or use Balance’s manual transaction entry feature.

Revoking Access

How to Disconnect

From Balance:

1. Go to Accounts tab
2. Select the bank account
3. Tap “Disconnect Account”
4. Confirm disconnection
5. Plaid access revoked

From Plaid:

1. Visit my.plaid.com
2. Log in with your credentials
3. Find Balance in connected apps
4. Click “Remove” or “Revoke Access”

From Your Bank: Some banks allow you to manage third-party access:

1. Log into your bank’s website
2. Look for “Third-Party Access” or “Connected Apps”
3. Find Plaid or Balance
4. Revoke access

What happens after disconnection:

• Transactions stop syncing
• Existing data remains in Balance
• You can manually enter transactions
• Can reconnect anytime

Bank-Specific Features

Connection Methods

Different banks support different connection methods:

OAuth (Best):

• Redirects to bank’s actual website
• You log in through bank’s interface
• Most secure option
• Used by major banks

API Integration:

• Direct API connection
• Faster, more reliable
• Supported by progressive banks

Credential-based:

• Enter username/password in Plaid
• Stored encrypted by Plaid
• Most common method
• Still secure

Bank Security Alerts

Some banks send alerts when Plaid connects:

Common alerts:

• “Third-party access granted”
• “New device login”
• “Account accessed by Plaid”

This is normal:

• Expected security behavior
• Indicates good bank security
• Not a cause for concern
• Shows connection was successful

International Banks

Current Plaid coverage:

• United States - Extensive coverage (12,000+ institutions)
• Canada - Growing coverage
• United Kingdom - Available
• Europe - Limited coverage

Other countries:

• Check Plaid’s website for latest coverage
• Balance may add alternative providers
• Manual transaction entry always available

Plaid Alternatives

Balance uses Plaid exclusively, but you might see these elsewhere:

• Yodlee - Similar service, used by some apps
• Finicity - Acquired by Mastercard
• MX - Data aggregation platform
• Quovo - Now part of Plaid

Why Balance chose Plaid:

• Industry leader
• Best security practices
• Widest bank coverage
• Most reliable connections
• Trusted by major apps

Technical Details

For the technically curious:

API Communication

User → Balance → Plaid → Bank
     ←         ←       ← Transactions

Security layers:

1. Balance to Plaid - TLS 1.3, OAuth 2.0
2. Plaid to Bank - Bank’s API, encrypted
3. Data storage - AES-256 encryption
4. Token management - Secure vault

Token Lifecycle

1. Creation - Generated during initial connection
2. Storage - Encrypted in Plaid’s vault
3. Usage - Used to fetch transactions
4. Refresh - Periodically refreshed
5. Expiration - Can expire, requiring reconnection
6. Revocation - Deleted when you disconnect

Monitoring Your Connection

Check Connection Status

In Balance:

• Green = Connected and syncing
• Yellow = Attention needed
• Red = Disconnected, needs reconnection

When to Reconnect

You may need to reconnect if:

• Bank password changed
• Bank added new security
• Connection expired
• Bank updated their system
• Security review by bank

Learn more about reconnecting banks →

Getting Help

Balance Support

For Balance-specific issues:

• Email: support@balancebudget.app
• Include: Bank name, error messages
• We can check connection status

Plaid Support

For Plaid-specific issues:

• Visit: support.plaid.com
• Live chat available
• Extensive help documentation

Your Bank

For bank-side issues:

• Call your bank’s support number
• Ask about “third-party access” or “Plaid”
• Some banks have special procedures

Next Steps

Learn more about Balance security:

• How Balance Keeps Your Data Safe - Overall security measures
• Connecting Your Bank - Step-by-step connection guide
• Reconnecting Banks - Fix connection issues
• Bank Connection Troubleshooting - Common problems

Questions about Plaid security? Contact our team - we’re here to help!