We do not outsource customer service to third party providers. All our staff are trained in-house so that we have tighter controls over the onboarding process, and our Client Experience team does not forward customer documents to any other department in the company.

Access to our corporate network is only for authorized personnel and specific devices.  We practice the Principle of Least Privilege, where we only assign just enough access for staff to perform his/her job. Hence only very limited staff has access to customer information.

We have to be compliant with the Personal Data Protection Act and MAS Technology Risk Management (TRM) Guidelines to attain and maintain our Capital Markets Services License.

Your money is kept entirely unmingled with StashAway's finances. To ensure that we never touch your money, we use custodian banks that hold your money, whether it's in cash or in securities.StashAway has made it a top priority to work with global, reputable banks for these purposes. Our custodian bank for receiving your deposits is Citibank Berhad, while Saxo Capital Markets Pte Ltd is our custodian for your investible cash and securities.In these custodian institutions, your assets are always in a segregated account-- one that is separate from StashAway's operations and assets. This means that you will always have full access and claim to your assets no matter what happens to StashAway.

At StashAway, we take security seriously and strive to ensure that while we focus on customer experience, usability and product reliability, it is secured as well. However, nothing is perfect and we encourage the reporting of suspected vulnerabilities or weaknesses in our IT services and systems through our Vulnerability Disclosure Programme (VDP). You can find more information on how to report here.

Please also note that the VDP does not authorise or permit the taking of any action which may contravene applicable laws and regulations (e.g. Computer Misuse Act). For the avoidance of doubt, attempts to exploit or test suspected vulnerabilities (e.g. gaining unauthorised access to any computer program or data) are prohibited.