Candidly Security Overview

Candidly is a FinHealth platform dedicated to crushing student debt. We believe Financial health and freedom is intrinsically linked to privacy and security. Therefore, we’d take as many steps as possible to secure our systems and make sure our customer’s data is safe and sound.



All data transmitted through our systems is secured with TLS 1.2 or above using elliptic curve diffie-hellman keys. These keys have a unique benefit; they can not be used to decrypt previously encrypted traffic.



All web servers sit behind an “Application Load Balancer” and “Web Application Firewall.” This eliminates all direct connections to our servers from the outside world. Only scanned, verified safe traffic is allowed through from client connections to our actual servers.



All client data is stored in databases that are encrypted “at rest.” We are using Amazon Key Management Service to manage our encryption keys for this process. We are encrypting with AES 256 symmetric key encryption.


User Financials

All user sensitive Financial data (such as bank account numbers) are encrypted with their own unique keys. Each account number has its own unique encryption key, and employees of candidly, with direct database access cannot read these values. When our servers need to process a payment, the software decrypts the data, and sends it to the servicer over an encrypted channel. The use of these keys is logged and monitored.



All user passwords are stored in our database using an irreversible hash function. There is no “key” or process in which these passwords can be reversed. Assuming one thousand guesses per second, It would take an average of 870,000 years to reverse a password that meets our password requirements. If someone forgets their password we can’t give it to them. They need to reset it.


Penetration Testing

Our software infrastructure is updated regularly with the latest security patches, and we contract third party penetration testing experts twice a year to verify the strength of our infrastructure and applications.


Other Security Measures

We run automated vulnerability scans to look for exploits into our systems. Each scan applies the newest set of CVE data to test our servers for weaknesses.


Data Centers

Candidly infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon’s data center operations have been accredited under:

ISO 27001, ISO 27017, ISO 27018
SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC 3
PCI DSS Level 1
FISMA Moderate
Sarbanes-Oxley (SOX)
SEC Rule 17a-4(f)


Certifications or Audits

We have SOC 1 – Type 2, SOC 2 – Type 2, PCI, FISMA, BSA/AML, CCPA and are working on FedRAMP.

Questions? If you have questions / concerns about our security overview, you can email us at