Data Privacy Policy

version 11.1.2021

Preamble

Data privacy and security are top priorities for Aster Key. They are the DNA of our business, and key to your experience with our product.  Aster Key is committed to:

  • securing your financial and personal data
  • eliminating systems vulnerabilities
  • ensuring your ability to start your financing journey in an anonymous mode

We patented key components of our data privacy and security system in, Patent No. 11,170,130, issued 11/9/2021, titled: “Apparatus, Systems and Methods for Storing User Profile Data on a Distributed Database for Anonymous Verification”

 

Data through the Aster Key System

Data from the Aster Key back end (servers) to your mobile application (mobile app), as well as to lenders, is transmitted securely via end-to-end encryption via an HTTPS endpoint. We also encrypt all transmitted data using AES-256 bit encryption, as well as encrypt all data at rest. Aster Key stores all your personal and financial data separated in your mobile app and never passes them together in the lender API. Our backend does not store or have direct access to your data in your Aster Key app vault (on your mobile phone) as its access and use is controlled by you.

 

Mobile Application Data

Once the data is aggregated it is removed for the back end and passed securely to your mobile app. It is now available and stored encrypted when at rest in your mobile application.

 

Data Encryption

All data in your mobile application, as well as any non-financial and non-personal data on the Aster Key servers, is encrypted at rest. If a hacker was ever able to penetrate and access any portion of the physical storage on your mobile device it would be impossible to read the data without decryption of the various data stores independently, which would need the keys which are not available. The information in your mobile application is a useless string of jumbled random characters and is more secure than website backend data stores.

 

Aster Key Server Communication

Encryption in transit within the Aster Key back end as well as encrypting all data at rest adds another layer of security protection when back end maintenance is needed without compromising data security and privacy. Not even our internal software engineers can see your data passing through our back end. If a hacker gains access to our back end they cannot see your data while it is passed. The limited data stored at rest is secured using the same principles as noted above.

 

 Where and how your data is stored

  •  Create Account

A passphrase is created by you. This is linked to an internal unique identifier (snowflake) that identifies you, anonymously, to our system.  As part of the account creation process, you are provided a public anonymous ID that is used when you send your financial data to a lender. I.E, a lender sees your financial data but not your personal information such as your name, address, social security number or email – so at this point you cannot be identified. The final step in account creation is verification of your mobile number which is linked to your internal unique identifier.

  • A passphrase is easier for humans to remember, eliminating the tendency for users to create weak usernames and passwords. 4-5 word passphrases using only lower and uppercase letters (no numbers or symbols or spaces), such as picktraitGoatGifts, are very secure. You should not use any personal information or common phrases, such as “ToBeOrNotToBe”, in your Passphrase
  • We pass your public anonymous ID with your financial data.
  • We never pass your personal info with your financial data as it is stored independently

 

  • Financial Profile Data

You create your (verified) financial profile by logging into your payroll, bank and investment accounts from your Aster Key app via services such as Plaid, Finicity and Argyle which have connections to financial institutions, companies you work for, or to payroll companies such as ADP or Paychex.

  • Aster Key does not see or store your login information to your accounts. We can’t do any “transactions” through these accounts. The information from your accounts is used to create verified information in your financial profile.
  • To maintain a high level of security, Aster Key does not store your financial data on our servers. Your financial data is aggregated and passed to your mobile app encrypted. We also use end-to-end encryption which adds to the security of your data. Our end-to-end encryption blocks website providers or government agencies from viewing the data in transit, unlike HTTPS which has more vulnerabilities.
  • Your encrypted financial data is not readable or visible in your phone’s storage by 3rd parties who scan storage. We encrypt the data when it is stored
  • Your financial data and your personal data are stored and encrypted independently to add another level of security.
  • A blockchain proof/hash is created of your financial data via an Ethereum sidechain and then uploaded to Ethereum Mainnet. Your financial proof/hash ensures your data can be verified and acts as a counterbalance if any 3rd party would try to manipulate your information. This further protects your data as well as ensures its integrity.
  • Our goal is to have this hash used as verification of your financial data as blockchain becomes embedded in risk analysis systems.
  • Aster Key does not store or have access to your financial data as it is stored and controlled by you inside the app. You are in complete control over who sees your financial data.

 

  • Personal Data (also referred to as personal information)

You can add your personal data from the “settings” screen. Personal data is not required to send out requests for offers as this is done “anonymously”. You transmit your personal data if you accept the offer. 

  • Personal data consists of your legal name, home address, email address, mobile phone #, social security #, W-2, 1099s, and tax returns.
  • Personal data (except your mobile phone number) is only stored on your mobile phone. It is encrypted and stored independently from your financial data for added security. It is not readable or visible in your phone’s storage.
  • Aster Key does not store your personal data on its servers.
  • You control who sees your personal data, and you only share this AFTER you view offers and want to move forward with an offer. When you hit send we only send your personal data encrypted and also use end-to-end encryption which adds the security of your data.
  • We never send your personal data with your financial data to increase security.
  • You do not have to add personal data to send your financial data out for offers, you can do this later.

 

New mobile phone, or loss of your mobile phone

Your mobile phone (mobile device) is your key to your personal information – as well as all your financial data, both of which are encrypted end to end and stored on your phone.

  • If you lose your phone or upgrade to a new phone, it will result in the loss of your financial data as well as your personal data. There is no “recovery” of your data – as Aster Key does not store your financial data or personal data on its servers.
  • Your offers are recoverable as long as you remember your passphrase and maintain the same phone number – or have written down your public anonymous id.
  • In the future, 1) we may enable an encrypted backup, that you can store, which will allow you to “reload” your data from the backup, and 2) you will be able to export your data, which will be password protected, and allow you to take your data with you and view it outside of the Aster Key app, i.e., if you want to provide a copy of your financial profile to an entity that is not in the Aster Key ecosystem.

 

No personal data and financial data commingling

To maintain your privacy as well as increase the overall safety of your data we do not store your financial and personal data together.

  • Your personal data and financial data is not stored together on your mobile
  • Your personal data, financial data as well as data used to manage is all stored and encrypted independently
  • Financial data sent to the blockchain to create your proof does not include any personal information. This further secures and separates your financial and personal data on your device or on the blockchain, so a 3rd party cannot tie the two together.
  • Financial data sent to lenders is always sent using your public anonymous ID. It is NEVER sent with your personal data

 

Benefits to Aster Key’s anonymous financial data transmission, and no commingling of personal and financial data

  • You no longer have to fill out online or paper applications
  • You can anonymously apply for multiple offers with the press of a button.
  • You do not have to go through the “security challenged” application process in place today. They expose you to passing your personal and financial data at the same time in transit, pass it to third party software companies as part of their processes, or use your initial personal or financial information for marketing purposes – and this increases the risk of being exposed in a server hack to any of these entities
  • A long-term benefit of a consumer-provisioned financial profile is the reduced reliance on credit agencies storing and selling your data without your permission.

Employee Screening

When Aster Key hires full-time W2 employees, it will conduct background checks for all new hires, including verification on the following:

  • Identity verification
  • National criminal records check
  • County criminal records check
  • (U.S. only) Sex offender registry check

We do not currently conduct background checks for our 1099 and consulting firms.

Security Training

To ensure continuity with respect to securing your data, all employees receive onboarding and systems training, including environment and permissions setup, security policies review, company policies review, and corporate values training.

All employees are required to review security policies as part of onboarding and are encouraged to collaborate and enhance our policies during peer reviews. All changes are managed in our GIT repository so engineers can review and collaborate before they become policy. All updates are passed to employees and added to the training.

Penetration Testing

After our beta period, Aster Key will use a 3rd party to perform annual penetration testing. Your financial and personal data is not exposed during these tests. We create a close of our systems that does not contain any of our customer’s personal or financial data for these tests.

All findings linked to vulnerabilities that can be exploited through penetration testing are used to set remediation priorities.

The mobile applications go through a security test as part of each new version release.

Intrusion detection and prevention systems (IDS/IPS)

Aster Key uses signature-based security and algorithm-based security to dynamically identify traffic patterns that align with known attack methods.

The key benefit of IDS/IPS is linked to tightly controlling the size and make-up of the attack telemetry, using intelligent detection controls at data entry points. The time it takes to automatically remedy new threats, as well as proactive prevention of known threats from accessing the system in the first place.

Two-Factor Authentication

Along with passphrase login, two-factor authentication (2FA) provides additional security to your data stored in the Aster Key application.  We highly recommend the use of  2FA as an integral step towards securing your data. Aster Key users can turn on @FA in the settings screen and can use universal second-factor applications like “Authy”  or SMS as second factors.

Securing Application Development Lifecycle

Aster Key uses continuous delivery of enhancements and modifications. All new or modified code changes are committed, tested, shipped, and iterated in a rapid sequence. We use a continuous delivery methodology, which includes pull requests, continuous integration (CI), and automated error tracking. Our goal is and processes are aligned to significantly decrease the likelihood of a security issue. These flows also improve our response time to the effective removal of bugs and vulnerabilities. We use Github release notes and change management through the GitHub SDK to manage our code.

Compliance Certifications

Aster Key, after out beta period, will proceed to complete  the following compliance certifications including but not limited to:

  • SOC2 Type I
  • SOC2 Type II
  • HIPAA Attestation

GDPR (General Data Protection Regulation, European Union)

Aster Key is GDPR compliant.

CCPA (California Consumer Privacy Act)

Aster Key is CCPA compliant. Our Data CCPA data processing overview provides assurances and a path to learn how your data is used as well as a way to clear out your data. Aster Key does not retain, use or disclose personal data. You maintain all your personal data on your device within the Aster Key app. You control when and how it is used.  Aster Key does not “sell” Personal Data within the meaning under the CCPA.

 

 

Global Home Lending is the trade name for Skyline Capital, LLC, NMLS # 1528496
We are licensed to provide mortgages in Florida and Pennsylvania.
Our corporate address is 209 Royal Ave, Wyncote, PA 19095

Phone: 1-888-288-9157 Email: info@GlobalHomeLending.com

> start your loan anonymously technology is provided by Aster Key. Aster Key is not a lender.
Aster Key provides data privacy and security for consumers when they apply for a loan.