How does Ziggma keep my broker credentials secure?

Ziggma never stores your broker credentials. OAuth 2.0 authentication means your login stays between you and your broker. Your credentials are never entered into Ziggma's infrastructure.

What type of encryption does Ziggma use?

Ziggma uses AES-256 encryption at rest for all portfolio data stored on AWS-hosted servers, and HTTPS/TLS encryption in transit for all data moving between servers and your browser.

Can Ziggma trade or move funds from my accounts?

No. Ziggma has read-only access to your holdings. It can view your portfolio data but cannot trade, move funds, or make any changes to your accounts.

Does Ziggma sell user data?

No. Ziggma has never sold user data and never will. The business model is a SaaS subscription — your data is not the product. Data is not shared with third parties for marketing purposes.

What security certifications do Ziggma's partners have?

Snaptrade holds SOC 2 Type II certification, undergoes continuous penetration testing, maintains a bug bounty program, uses AWS KMS encryption, and provides 24/7 monitoring. Plaid holds SOC 2 Type II, ISO 27001, and ISO 27701 certifications, is GDPR and CCPA compliant, and uses TLS and AES-256 encryption.

How can I delete my data from Ziggma?

You can delete your account at any time. All your data is permanently removed from Ziggma's database, broker connections are terminated automatically, and third-party aggregators are notified. Nothing is retained.

Secure Portfolio Tracking: How Ziggma Protects Your Data

Q: What would happen if Ziggma's servers were breached?

Your money would not be at risk. Broker credentials are never stored. Portfolio data is encrypted at rest and useless without decryption keys. OAuth tokens are read-only and can be revoked immediately. Ziggma does not store full account numbers, SSNs, or payment card data.

How account linking works — and why your credentials are never at risk

When you connect a brokerage or retirement account to Ziggma, the connection is handled entirely by a third-party aggregator — either Snaptrade or Plaid. Ziggma never sees, receives, or stores your login credentials at any point in the process.

For virtually all major US brokers — including Fidelity, Charles Schwab, Robinhood, Vanguard, and Coinbase — the connection uses OAuth 2.0. With OAuth, you authenticate directly on your broker's own login page. The broker then issues a limited-scope access token to the aggregator. Your username and password never leave your broker's systems.

In the small number of cases where a broker does not yet support OAuth, your credentials are sent directly to that broker's systems via the aggregator — they never enter Ziggma's infrastructure.

How your data is encrypted

All portfolio data stored in Ziggma is protected by multiple layers of encryption, following the same standards used by major financial institutions.

Encryption at rest: Your holdings, balances, and transaction data are encrypted on Ziggma's AWS-hosted servers. Even if a copy of the database were somehow obtained, it would be unreadable without the decryption key.
Encryption in transit: all data moving between Ziggma's servers and your browser travels over HTTPS, preventing interception in transit.
US-based infrastructure: all servers are hosted on Amazon Web Services (AWS) in the United States, subject to strict US data compliance frameworks.

Learn about portfolio aggregation and whether Plaid is sage.

Third-party security certifications

Ziggma's account aggregation partners — Snaptrade and Plaid — hold independent security certifications that are verified by external auditors, not self-reported. These are the same standards required by banks and enterprise financial institutions.

Investment aggregation

Snaptrade

SOC 2 Type II — independently audited controls verified over time, not just at a point in time
Penetration testing — continuous third-party security audits by external security firms
Bug bounty program — active responsible disclosure program; verified findings reviewed and rewarded
AWS KMS encryption — credentials encrypted at rest using AWS Key Management Service
24/7 monitoring — all systems and data access continuously monitored

Broad account aggregation

Plaid

SOC 2 Type II — independently audited security controls
ISO 27001 — internationally recognised information security management certification
ISO 27701 — privacy information management extension to ISO 27001
GDPR & CCPA compliant — meets EU and California consumer privacy requirements
TLS + AES-256 — encryption in transit and at rest to financial institution standards

SOC 2 Type II is the most rigorous of the SOC certifications — it evaluates whether security controls operate effectively over an extended period (typically 6–12 months), not just whether they exist on paper. ISO 27001 is the internationally recognised standard for information security management, required by enterprise financial institutions globally.

What would happen if Ziggma's servers were breached

This is the question most investors don't ask but should. Here's the honest answer, layer by layer:

Your broker credentials: Safe, because Ziggma never holds them. There is nothing to steal.
Encryption in transit: Encrypted on AWS. Without the decryption key, the raw data is useless to an attacker.
US-based infrastructure: Limited-scope tokens issued by your broker via OAuth. These can only read data — they cannot trade or move funds — and can be revoked immediately from your broker's connected apps settings.
Your personal information: Name and email address, encrypted at rest. Ziggma does not collect and does by consequence not store full account numbers, SSNs, or payment card data.
‍

In the unlikely event of a breach, your money is not at risk. Ziggma has no ability to access or move funds — it is a read-only analytics layer on top of your accounts.

Ziggma's data policy in plain terms

We have never sold user data: And will never do so. Our business model is a straightforward SaaS subscription — your data is not our product.
We do not share your data with third parties for marketing purposes: Aggregator partners (Plaid, Snaptrade) receive only what is necessary to establish the account connection.
You can revoke account access at any time: Either from within Ziggma or directly from your broker's connected apps page.
When you delete your account: All your data is deleted from Ziggma's database. Broker connections are terminated and third-party aggregators are notified automatically. Nothing is retained.

Your data from connection to deletion

You connect a broker

You authenticate on your broker's own login page via OAuth. Your credentials stay there.

Token issued

Your broker issues a read-only access token to Snaptrade or Plaid. No password involved.

Data retrieved

Holdings, balances, and transactions are fetched and passed to Ziggma — encrypted in transit.

Stored encrypted

Your data sits on AWS servers encrypted at rest. Decryption keys are held separately.

You stay in control

Revoke access anytime from Ziggma or directly from your broker's connected apps settings.

Full deletion on request

Delete your account and all data is permanently removed. Broker connections terminated automatically.

Frequently Asked Questions

No — and this is a firm commitment, not a policy subject to change. Ziggma's business model is a straightforward SaaS subscription. Revenue comes from monthly and annual plan fees, not from selling or monetising user data. Your portfolio data has never been sold and never will be.

No. Account linking is handled entirely by Snaptrade or Plaid — Ziggma never receives, processes, or stores your login credentials at any step. For the large majority of brokers, OAuth means your credentials don't leave your broker's own systems at all.

For a full explanation of how this works, see our financial account aggregators guide.

Very secure. Ziggma uses Snaptrade and Plaid — the leading investment account aggregators in the US — both of which use OAuth-based connections with all major brokers. OAuth eliminates credential sharing entirely. The connection is read-only, encrypted in transit, and can be revoked at any time.

For more on the security standards behind these connections, see how secure is linking your account.

All data is encrypted at rest and in transit. Ziggma's servers are hosted on Amazon Web Services (AWS) in the United States, using bank-grade AES-256 encryption for stored data. All connections between your browser and Ziggma's servers run over HTTPS. Database backups are encrypted on the same standard as live data — no unencrypted copies exist at any point.

No. Ziggma has read-only access to your account data. It can retrieve balances, holdings, and transaction history — but it has no ability to initiate trades, transfer funds, or make any changes to your brokerage or retirement accounts whatsoever.

Ziggma accesses only what is needed to provide portfolio analytics: account balances, holdings (positions and quantities), and transaction history. It does not access full account numbers, Social Security numbers, payment card data, or any information beyond what is required to power the portfolio analysis features.

Your money would not be at risk. Ziggma holds no credentials and has no ability to access or move funds. In the event of a breach, an attacker would find encrypted portfolio data — unreadable without the separate decryption key — and no passwords or full account numbers to exploit. Any OAuth access tokens are read-only and can be revoked instantly from your broker's connected apps settings.

All data is stored on Amazon Web Services (AWS) servers located in the United States. AWS operates under strict compliance frameworks and provides the same infrastructure used by banks and major financial institutions globally.

You can disconnect any linked account from within Ziggma at any time from the Investment Accounts section. You can also revoke access directly from your broker's connected apps or third-party access settings — this immediately invalidates the OAuth token. Both routes fully terminate the connection. See the Ziggma FAQ for step-by-step guidance.

All your data is permanently deleted from Ziggma's database. This includes all portfolio data, transaction history, and account information. Broker connections are terminated and Snaptrade and Plaid are notified automatically — no residual data is retained anywhere in the system.

If you'd like to explore Ziggma before committing, you can start free with no credit card required, or review the full plan comparison.

How Ziggma Keeps Your Portfolio Data Secure