ARA Wealth Data Security Policy

1. Security Philosophy

ARA Wealth is built around the principle that households should be able to understand their finances without giving up control of their money or their banking credentials.

The platform is designed to:

• help households organise financial information
• maintain strict separation between financial data and banking credentials
• ensure bank connections remain read-only
• protect sensitive financial information using modern security practices

2. Open Banking Integration

ARA Wealth connects to bank accounts using Akahu, a New Zealand open banking provider.

This integration allows users to securely connect their financial accounts without sharing their banking passwords with ARA Wealth.

When a user connects a bank account:

1. The user is redirected to Akahu's secure authentication flow
2. The user authenticates directly with their bank
3. The bank confirms the connection through Akahu

ARA Wealth receives financial data through Akahu's secure API.

This architecture ensures:

• ARA Wealth never receives or stores banking passwords
• bank authentication is handled directly by the bank and Akahu
• connections are established using secure API tokens

3. Read-Only Financial Access

The access provided through the Akahu integration is read-only.

ARA Wealth retrieves financial information including:

• account balances
• transaction history
• account identifiers

4. Secure Token Storage

Bank connections are maintained using secure access tokens issued by Akahu.

These tokens allow ARA Wealth to retrieve updated financial information without requiring repeated authentication.

Security protections include:

• tokens stored securely within protected infrastructure
• restricted access to token storage systems
• encrypted communications when retrieving financial data
• monitoring of token usage and API access

Access tokens provide read-only access to financial data and cannot be used to move funds or perform transactions.

5. Data Encryption

ARA Wealth protects data using encryption practices designed to protect information both in transit and at rest.

Security practices include:

• HTTPS encryption for all data transmitted between users and the platform
• encrypted API communication with Akahu
• secure storage of sensitive data within protected database systems

These measures ensure that financial data cannot be intercepted or accessed during transmission.

6. Infrastructure Security

ARA Wealth is hosted on secure cloud infrastructure designed to protect sensitive application data.

Infrastructure protections include:

• restricted administrative access to production environments
• network-level security protections
• system monitoring and logging
• routine security updates and patch management

Production systems are designed to limit exposure and reduce the risk of unauthorised access.

7. Access Controls

Access to systems that contain customer financial information is restricted.

Security controls include:

• role-based access permissions
• limited access to production systems
• internal access logging
• operational monitoring

Access to sensitive systems is restricted to authorised personnel who require access to operate or maintain the platform.

7a. User Authentication

Authentication options include:

• email and password login with secure session management
• Google OAuth for convenient single sign-on
• magic link authentication for passwordless access

8. Monitoring and Logging

ARA Wealth maintains monitoring systems designed to detect unusual behaviour or unexpected system activity.

This includes:

• API usage monitoring
• system activity logging
• infrastructure monitoring

Monitoring helps identify potential issues quickly and supports investigation if suspicious activity is detected.

9. Incident Response

If a security issue or data breach were suspected, ARA Wealth would follow a structured response process.

This includes:

• investigating the incident
• containing and mitigating any potential impact
• notifying affected users if required
• complying with obligations under the New Zealand Privacy Act

ARA Wealth takes the protection of financial information seriously and continuously improves its security practices.

10. User Control of Bank Connections

Users remain in full control of their bank connections.

Users can disconnect bank accounts at any time within the ARA Wealth application.

When a bank connection is disconnected:

• access tokens are revoked immediately and no further data is retrieved from the bank
• ARA Wealth stops syncing new financial information
• the connection between the platform and the bank account is terminated

Historical transaction data that has already been imported into ARA Wealth may remain available to the user for financial history continuity. Financial data is retained only as long as reasonably required to provide the ARA Wealth service and in accordance with the New Zealand Privacy Act.

Users may also revoke access through Akahu directly if they prefer.

11. Security Reviews and Testing

ARA Wealth is committed to maintaining strong security practices.

Security reviews may include:

• application security testing
• penetration testing
• infrastructure security reviews
• monitoring and improvement of internal security practices

These reviews help ensure the platform remains secure as it evolves.

12. Ongoing Security Improvements

Security is an ongoing process.

As ARA Wealth develops new features and integrations, security practices are reviewed and improved to ensure financial data remains protected.