Privacy Statement

Last Updated: October 2015

Is ByAllAccounts (BAA) a vendor hosted or on premise client solution?

BAA is a hosted solution that runs in Morningstar’s secure data center. There is an optional clientsite
component called Custodial Integrator.

Do you maintain a SSAE16, SOC, or equivalent audit report / certification?

Our primary data center maintains an annual SSAE 16 SOC I Type II report.

How do you ensure the sending or receiving of information is secure?

All sensitive data is encrypted before transmission or storage. Where ByAllAccounts controls the
sending of the sensitive data, “strong” encryption (128-bit or stronger) is used exclusively.

How do you ensure that a user from one firm cannot see the data of another firm?

Data is logically partitioned by customer, and further access determined by role. Access to the data
is only available through ByAllAccounts applications and APIs, which are responsible for enforcing
the partitioning.

Is it possible for one of your employees to use login credentials to get at end-client accounts?

Note that the ByAllAccounts aggregation service is a software program and is automated. Someone who knows the login credentials registers these directly in the ByAllAccounts system. They are not given to any Morningstar employee. Morningstar employees also are not using the registered credentials to log into the sites to perform retrieval manually; the software is using them on its own.

During the process of establishing or maintaining the connectivity between a source and
ByAllAccounts, it is possible that a Morningstar employee could come into contact with those login credentials?

The potential risk is determined by the nature of the source itself, the nature of the access granted
to the credentials used, and any additional security measures in place at the financial institution. If
the source provides transactional capabilities, the credentials used have full access to those capabilities, and no further security mechanism (such as an out-of-band one-time security code sent
via email or text message, additional PIN, or challenge questions) is in place, it is possible that an
employee gaining access to the credentials could attempt to trade or move assets. Where available, we attempt to develop interfaces to reporting-only sources and to encourage obtaining login credentials having read-only access.

How long do you keep customer data?

Data retention policy is determined on a per-customer basis. ByAllAccounts is a data middleman,
collecting information from the primary source (e.g., the financial institution where the account is
held) and delivering it to our customers. A small amount of recent historical information is retained
to facilitate processing of information retrieved subsequently. Typical retention is one calendar

What is your SLA for recovery in the event of a disaster?

Our Recovery Time Objective (RTO) from a catastrophic site failure is 72 hours. Note that
ByAllAccounts is not a primary source of any data. Upon resumption of service, the system would
gather from the primary sources any data that went uncollected due to the outage.

Have you observed major outages or unplanned downtime in the last 12 months?

There have been no major outages within the past 12 months.

What is your development and testing approach?

We follow a formal SDLC process, employing an Agile methodology and continuous integration and
testing. We also employ formal test plans (a mix of automated and manual testing) on all releases.

Do you permit custom programming for your application?

We don't permit custom programming of the ByAllAccounts application. We provide an API, and
custom applications or integrations may be built using that API.

What are your system maintenance policies and processes?

Morningstar’s IT systems are subject to formal change management processes and procedures.
Change management procedures ensure that changes to IT systems are performed in a predictable
and orderly manner. Changes are logged, tested, approved, and communicated to system owners
prior to implementation. Systems and supporting applications are normally patched/updated monthly, with patches for any  significant security or stability issues applied as soon as possible. All such patching is performed under formal change tracking and approval processes.

Do you have a data privacy and security policy?

ByAllAccounts values and respects the privacy of our customers, partners, and other visitors to our
websites. Our Privacy Policy can be found at