Last Updated: October 2015
BAA is a hosted solution that runs in Morningstar’s secure data center. There is an optional clientsite
component called Custodial Integrator.
Our primary data center maintains an annual SSAE 16 SOC I Type II report.
All sensitive data is encrypted before transmission or storage. Where ByAllAccounts controls the
sending of the sensitive data, “strong” encryption (128-bit or stronger) is used exclusively.
Data is logically partitioned by customer, and further access determined by role. Access to the data
is only available through ByAllAccounts applications and APIs, which are responsible for enforcing
Note that the ByAllAccounts aggregation service is a software program and is automated. Someone who knows the login credentials registers these directly in the ByAllAccounts system. They are not given to any Morningstar employee. Morningstar employees also are not using the registered credentials to log into the sites to perform retrieval manually; the software is using them on its own.
The potential risk is determined by the nature of the source itself, the nature of the access granted
to the credentials used, and any additional security measures in place at the financial institution. If
the source provides transactional capabilities, the credentials used have full access to those capabilities, and no further security mechanism (such as an out-of-band one-time security code sent
via email or text message, additional PIN, or challenge questions) is in place, it is possible that an
employee gaining access to the credentials could attempt to trade or move assets. Where available, we attempt to develop interfaces to reporting-only sources and to encourage obtaining login credentials having read-only access.
Data retention policy is determined on a per-customer basis. ByAllAccounts is a data middleman,
collecting information from the primary source (e.g., the financial institution where the account is
held) and delivering it to our customers. A small amount of recent historical information is retained
to facilitate processing of information retrieved subsequently. Typical retention is one calendar
Our Recovery Time Objective (RTO) from a catastrophic site failure is 72 hours. Note that
ByAllAccounts is not a primary source of any data. Upon resumption of service, the system would
gather from the primary sources any data that went uncollected due to the outage.
There have been no major outages within the past 12 months.
We follow a formal SDLC process, employing an Agile methodology and continuous integration and
testing. We also employ formal test plans (a mix of automated and manual testing) on all releases.
We don't permit custom programming of the ByAllAccounts application. We provide an API, and
custom applications or integrations may be built using that API.
Morningstar’s IT systems are subject to formal change management processes and procedures.
Change management procedures ensure that changes to IT systems are performed in a predictable
and orderly manner. Changes are logged, tested, approved, and communicated to system owners
prior to implementation. Systems and supporting applications are normally patched/updated monthly, with patches for any significant security or stability issues applied as soon as possible. All such patching is performed under formal change tracking and approval processes.
ByAllAccounts values and respects the privacy of our customers, partners, and other visitors to our