Bank Grade Security

As described below, Qaravan manages our IT security like a bank’s vault:  a strong perimeter, controlled access, and limited contents.

World-Class Data Center


The Qaravan data center is in the continental US, near our offices just a few miles outside of Washington, DC.   We have roots in the world of federal government IT contracting, so we have a unique appreciation for exceptionally conservative IT security standards.

For example, we know that keeping applications in a public cloud makes bankers and regulators nervous.  That’s why we don’t do it.  Instead, our website, application, and data warehouse all reside on dedicated hardware within a private, firewalled environment that is exclusive to Qaravan.

This infrastructure is physically located within a modern, highly secure data center that conforms to the internationally recognized ISO/IEC 27001 security protocols.  It has recently been audited by Ernst & Young and given a “clean opinion” relative to the data center security standards established by the American Institute of Certified Public Accountants (AICPA).

Restricted, “KYC” Access Requirements


Qaravan’s first line of defense is similar to the banking industry’s “Know Your Customer” protocols—we make sure we’re serving real people who have responsible intentions. One way we screen out the bad guys is by requiring users to activate their trial through their email account.  Additionally, we ask that users adhere to an enhanced set of standards when creating an account password.  Finally, after a user has been cleared to establish an account, the only way to authenticate and access the Qaravan application is through our enterprise class firewall on a “Norton Secured”, Symantec SSL encrypted network.

By taking rigorous steps like these, we can maintain a high level of security, without compromising your user experience.

“Safe and Sound” Data Retention

Despite our extensive use of banking data, Qaravan stores very little in the way of sensitive information (remember, Call Report and UBPR data are public goods).

The sensitive data we do retain is primarily in the form of user profiles—name, password, email, etc.  As described further in our privacy policy, we will NEVER sell, trade, or otherwise disclose customer information to any party unless legally obligated to do so.  We take the protection of customer data very seriously and guard it with the same security standards we apply to our own intellectual property (privately hosted, firewalled, encrypted, limited access environment, as described above).

With regards to your personal financial information, no credit card information is ever seen or stored by Qaravan. This information is managed entirely by one of the nation’s most trusted payment gateways, Stripe.  Stripe maintains strict “air gapped” encryption key pairs, strong DSS storage protocols, and a Level 1 PCI Compliance rating (the highest in the industry).

And finally, should you ever decide to cancel your Qaravan subscription, the information associated with your account is promptly removed from both Qaravan and Stripe servers.