BorrowBetter

Information Security Policy

Last revised: November 28, 2025

BorrowBetter ("BorrowBetter," "we," "us," or "our") maintains a comprehensive information security program to safeguard the non-public personal information ("NPI") of consumers who use our platform.

This Information Security Policy describes the administrative, technical, and physical safeguards we implement to protect NPI throughout its lifecycle—from collection through storage, transmission, and disposal.

1. Scope

This policy applies to all NPI collected, processed, stored, or transmitted by BorrowBetter, including:

  • Personally Identifiable Information: Name, email address, phone number, mailing address, date of birth, and Social Security number
  • Financial Information: Income, employment details, banking information, loan preferences, and debt amounts
  • Credit Information: Credit scores, credit reports, and credit history obtained with consumer consent
  • Technical Data: IP addresses, device information, session identifiers, and behavioral analytics

2. Information Security Program Overview

BorrowBetter's information security program is designed to:

  • Ensure the confidentiality, integrity, and availability of consumer NPI
  • Protect against anticipated threats or hazards to the security of such information
  • Protect against unauthorized access to or use of NPI that could result in substantial harm to consumers
  • Comply with applicable federal and state laws governing the protection of consumer information

3. Administrative Safeguards

3.1 Security Leadership

BorrowBetter has designated a Security Officer responsible for:

  • Overseeing the information security program
  • Conducting periodic risk assessments
  • Coordinating security incident response
  • Ensuring compliance with security policies and procedures

3.2 Personnel Security

All employees undergo thorough vetting and ongoing security measures:

  • Background Checks: All employees with access to consumer data undergo background checks prior to employment
  • Security Training: Employees complete comprehensive security and compliance training upon hire and on an ongoing basis
  • Confidentiality Agreements: All personnel are bound by confidentiality obligations regarding consumer information
  • Least Privilege Access: Access to systems and data is granted on a need-to-know basis aligned with job responsibilities

3.3 Risk Assessment

We conduct periodic assessments to identify and address risks to consumer information, including evaluation of internal and external threats, system vulnerabilities, and the effectiveness of existing safeguards.

4. Technical Safeguards

4.1 Encryption

  • Data in Transit: All data transmitted between users and our platform is encrypted using TLS 1.2 or higher
  • Data at Rest: Sensitive data, including Social Security numbers, is encrypted using AES-256 encryption
  • Database Encryption: Our managed database employs encryption at rest for all stored data

4.2 Access Controls

  • Single Sign-On (SSO): Employee access to systems is managed through Google SSO with centralized identity management
  • Least Privilege: Access rights are limited to the minimum necessary for job functions
  • Production Database Access: Direct access to production databases requires break-glass procedures with audit logging
  • Session Management: User sessions are secured with cryptographically strong session tokens

4.3 Monitoring and Detection

  • Anomaly Detection: Third-party security monitoring continuously analyzes system activity for anomalous behavior
  • Automated Threat Response: Suspicious activity triggers automatic protective measures including access denial
  • Logging: Comprehensive logging of system access and data operations for security analysis and audit purposes
  • Breach Detection: Automated systems monitor for indicators of unauthorized access or data exfiltration

4.4 Secure Development

  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks
  • Environment Separation: Development, staging, and production environments are segregated
  • Secrets Management: API keys, credentials, and encryption keys are managed through secure environment configuration

5. Infrastructure Security

BorrowBetter's platform is hosted on enterprise-grade cloud infrastructure:

5.1 Application Hosting

Our application is deployed on Vercel, which provides:

  • SOC 2 Type II certified infrastructure
  • Automatic DDoS protection
  • Edge network with global distribution
  • Automatic HTTPS with managed TLS certificates
  • Isolated serverless execution environments

5.2 Database Infrastructure

Consumer data is stored in Neon, a managed PostgreSQL service providing:

  • SOC 2 Type II certified operations
  • Encryption at rest and in transit
  • Automated backups and point-in-time recovery
  • Network isolation and access controls
  • Regular security patching and updates

6. Third-Party Vendor Management

BorrowBetter shares consumer information with lending partners and service providers under strict security requirements:

  • Security Agreements: All third parties receiving consumer data must execute data security agreements
  • Compliance Verification: We require SOC 2 certification or equivalent security attestation from partners, with documented exceptions reviewed and approved by our Security Officer
  • Secure Transmission: Lead data is transmitted to partners exclusively through encrypted API connections
  • Limited Data Sharing: Only information necessary for the specific business purpose is shared with each partner

7. Incident Response

BorrowBetter maintains an incident response program to address security events:

  • Detection: Automated monitoring systems and manual review processes identify potential security incidents
  • Response: Documented procedures guide containment, investigation, and remediation of security events
  • Notification: In the event of a breach affecting consumer NPI, we will notify affected individuals and regulatory authorities as required by applicable law
  • Post-Incident Review: Security incidents are analyzed to identify root causes and implement preventive measures

8. Data Retention and Disposal

Consumer information is retained only as long as necessary to fulfill business purposes and legal obligations:

  • Lead data is retained for the period necessary to complete partner matching and fulfill regulatory requirements
  • Credit-related data is retained in accordance with Fair Credit Reporting Act requirements
  • Upon expiration of retention periods, data is securely deleted or anonymized
  • Consumer deletion requests are processed in accordance with applicable privacy laws

9. Consumer Rights

Consumers may exercise their rights regarding their personal information by contacting us at:

Email: privacy@borrowbetter.com

We respond to verified consumer requests in accordance with applicable state and federal privacy laws.

10. Policy Review and Updates

This Information Security Policy is reviewed periodically and updated as necessary to address:

  • Changes in business operations or technology
  • Emerging threats and vulnerabilities
  • Regulatory developments
  • Results of risk assessments and security audits

Material changes to this policy will be reflected in the "Last revised" date above.

11. Contact Information

For questions about this Information Security Policy or BorrowBetter's security practices, please contact:

BorrowBetter Security

Email: security@borrowbetter.com