Quo Finance is a mobile subscription app that helps you easily set and achieve your lifestyle and financial goals. CEO Tucker Haas recently sat down with us to discuss the critical role data security plays in their product and why they decided outsourcing would keep customer data safest.
Note: The following has been edited for length and clarity. You can see the full discussion here.
What does Quo do and how does it help people achieve their financial goals?
Quo is a subscription mobile app that helps you easily set and achieve your lifestyle and financial goals. Most large financial and lifestyle goals are very difficult to navigate and they can feel very out of reach. We all want to travel more, buy a home, a car... save money for an emergency fund, whatever it is, but we end up having to string together tons of tools and information to do so. And we ultimately pay a much higher price with our time and money because of the lack of a clear path and integrated solutions to really go out and achieve these goals. And so we built Quo to help you achieve these goals faster with personalized tools that pull together all of that information. We combine that with discounts and rewards that can actually pull those goals even closer and help you achieve them even faster.
As a fintech, you handle a lot of sensitive data. When and how did you start thinking about the implications of that sensitive data, and how to handle it?
Security and regulation was something that we knew was not our forte as we were building Quo, and it was something that we were constantly thinking about how can we be sure that we are protecting our users’ information, make sure that we are respecting their privacy and make sure that we're able to sleep at night knowing that a hacker is not going to come in and steal 1000s of social security numbers. It really was something that, from the start, gave me a lot of anxiety, actually, because it was something that I had not dealt with before. Because of that, what we did was...
from the beginning, we tried to create a foundation of how do you build secure applications, how do you build something that, in its DNA, and in the way that we architect our systems, so we don't have to worry about this problem. It’s really about pulling together the great tools out there like Very Good Security, the great tools within Google Cloud, to divorce ourselves from the problem as much as possible
...to make it so that we don't have to constantly consider how are we going to protect our information and make sure that we're not going to lose to hackers. Really from the beginning, it was something that was top of mind, and it was something that I think, not enough companies also put a put enough emphasis on because it can be an advantage in a lot of ways.
Did you ever think about taking a Do It Yourself (DIY) approach to data security and compliance?
Before Quo I worked on a health medical device startup, and that was also very software-based. At that company, we ended up building a lot of that infrastructure ourselves and having to deal with a similar regulation of HIPAA compliance. It varies quite a bit from FinTech compliance but it's still a very intense compliance structure. And so I saw the foils of that, trying to create that infrastructure yourself because as you mentioned there, you get very distracted from your core competencies very quickly.
And so, as we were starting Quo, it was really a choice that was very easy for me to make. There were some pieces of information that I knew that we would want to keep locally so that we would access them more often, things like first and last name stuff that is still sensitive and you may not want leaked out, but at the same time is easier to protect... you can have a little bit less anxiety about.
But when we were looking at those very sensitive pieces of information like social security numbers and government IDs and income and W2 statements, that's something that we instantly said...
This is not our competency. What we are really trying to do is not build the most secure applications in the world. We're trying to better the financial health of our customers… We need that security and trust, but we don't need to own the infrastructure itself to be able to have that. And there are people out there who are much better at it than us. And so for us, it was a very easy trade-off to say let's ship that over to these infrastructure partners.
What advice would you give to other companies in your situation?
Often, data security and regulation, especially, is seen as sort of this side problem, this thing that's in the way and it's kind of the enemy it slows down product strategy and iteration, causes headaches in development but I do think that, at the same time, it can be a difference-maker. It is something that is incredibly important to be able to consider. So, the biggest piece of advice I can give is don't ignore it. Actually, put some time and effort into it because no amount of business strategy or growth can overcome you know a huge security failure or data leak, and that can really be a death knell for a young company.
Don't ignore [data security], but find ways to optimize it. You don't have to take the...approach where you're building everything yourself. Working with companies like VGS to secure those most sensitive pieces of information lets you focus on keeping that fast product strategy and iteration. Actually being able to build out that growth strategy and not worrying about is my data safe.
What effect has your relationship with VGS had on your ability to start new partnerships or achieve business goals?
When we're building out all of those horizontal and vertical creations, know that that means working with tons of different partners. I know I mentioned the credit bureaus being one specific lead. That was something that was not very easy because credit bureaus have some legacy infrastructure and technology and they have some very specific ways that they want you to connect to their services. We just gave a call to VGS and said “hey, we need to connect to this partner,” and we were done in a day. And so the, it's really been super simple for us to be able to shepherd that data to whoever it needs to get to, whether it's a credit bureau to a banking partner or whomever.
It really makes those partnerships 10 times easier because we're not having to convince them that we're securing all of this information. We can say, go look at VGS and see all of the certifications that they have, and all of the data security practices that they have. Then we're not stuck in security review experience for six months, it's “okay great, we've done it with VGS before we know they're great, let's do this in, you know 30 days.”