About

How access to financial records works, who is exchanging information, and where the underlying data is stored.

Jump to: Data Sharing · Where Data Is Stored · OAuth2 API

Who's Exchanging Information

Three parties take part in every discovery request, and each one has a different concern to resolve before financial information changes hands.

The Attorney Needs a Complete Record

In lieu of a formal Subpoena Duces Tecum, the attorney sends a secure, one-time invite link asking the client to share their financial account statements and transaction history. The attorney's real concern isn't the request itself - it's completeness. It's easy to overlook an account the client rarely mentions, or to end up with a gap of a month or two in the statements. A discovery record is only as good as what it includes.

AttorneyEvery account. Every month.Checking — Bank ABrokerage — Bank BAnother account? Easy to overlook.A month or two of statements missing?A complete request removes the guesswork.
The attorney's worry: an overlooked account, or a missing month or two of statements.

The Client Stays in Control

When the client receives that request, they need a straightforward way to respond - grant access to the requesting attorney, and just as easily revoke it later. Nothing about the grant is permanent or one-directional.

Attorneyrequests financial recordsClientGrant AccessRevoke AccessThe client can switch between these at any time.Either choice applies immediately to the attorney's access.
The client's answer: grant access, or revoke it - either way, at any time.

The Institution Verifies Before It Shares

The financial institution wants to honor its client's wishes, but it can't take a request at face value. Before any data moves, the institution confirms that the party asking for it is the one the client actually authorized - not merely someone who claims to be.

AttorneyHas the client'saccess tokenAnyone elseNo valid tokenVerifies the token matchesthe client's authorizationauthorizedFinancial InstitutionWants to honor the client's wishesData only moves once the institution confirms the requester is who theclient actually authorized — not just someone who asked.
The institution's condition: only a verified, client-authorized token unlocks the data.

Put together, these three concerns are what the access-token system resolves: the attorney gets a request built for completeness, the client keeps a revocable grant, and the institution never releases records without verifying the client's authorization first.

Plaid is the financial data network that makes this possible - it connects banks, brokerages, and fintech apps under a shared set of agreements and APIs. See who uses Plaid on Plaid's own site.

Where the Data Is Stored

Civil Rule 26 .Com does not warehouse invitees' financial data. The records themselves stay with the financial institutions that issued them, and only move as far as a signed authorization allows.

  1. Financial institutions hold the data. Every account statement and transaction lives with the bank, credit union, or brokerage that issued it, wherever in the world that institution is located.
  2. Plaid aggregates it under formal agreements. The data broker Plaid has formal agreements with financial institutions worldwide and pulls authorized records into one place on the invitee's behalf.
  3. Financial institutions are the only party with login credentials. The invitee's username and password are entered only at their institution's own login page. Plaid, the attorney, and Civil Rule 26 .Com never see them.
  4. Invitees create the token; Plaid manages it. When an invitee grants access, they create an access token that Plaid holds and manages, scoped to a specific attorney.
  5. The attorney gets data from Plaid, and only from Plaid. The attorney uses that token to retrieve the authorized records directly from Plaid, and does not share that data with anyone else.
Financial InstitutionHolds all account statementsand transaction historyNo copies exist outside the institution until access is granted.
All financial data resides at the financial institution that issued it.
provides securitycredentialsprovidesapprovalprovidesaccess tokenInviteeFinancialInstitutionPlaidAttorney
The invitee's credentials and approval flow from the financial institution to Plaid, which issues the attorney an access token.
AttorneyViews data viathe access tokenpresents access tokenreturns financial informationPlaidAggregates financial datafrom the invitee's institutionsand holds it in one place
The attorney uses that token to view financial information Plaid aggregates and holds.

Plaid is the financial data network that makes this possible - it connects banks, brokerages, and fintech apps under a shared set of agreements and APIs. See who uses Plaid on Plaid's own site.

How the OAuth2 API Works

Civil Rule 26 .Com never asks for or stores an invitee's online banking username or password. Instead, Plaid - the data broker described above - handles the OAuth2-style handshake between the invitee, their financial institution, and the requesting attorney.

Three Parties Come to an Agreement

Before any data moves, three separate agreements have to be in place. The attorney requests access and the invitee consents to share it. The invitee authorizes their financial institution to work with Plaid. Plaid, in turn, issues the attorney a scoped access token. No single party can shortcut the other two.

requests & consentsinvitee authorizes institutionissues access tokenAttorneyInviteePlaid
Three separate agreements, one for each pair, before any record is released.

The Invitee's Credentials Stay With the Institution

When the invitee grants access, they enter their username and password directly on their financial institution's own login page. That key moves in exactly one direction - from the invitee to their institution - and it is never shared with Plaid, the attorney, or Civil Rule 26 .Com.

Inviteelogin credentials (the key)Financial InstitutionPlaid & the Attorneynever shared
Login credentials travel one way only: invitee to institution.

The Attorney Activates a Scoped Secret Key

Once the institution approves, Plaid issues the attorney an access token - a secret key that only works for this one request. Activating it does not hand over the invitee's login; it authorizes a single read-only, time-limited pull of the records the invitee agreed to share, and the invitee can revoke it at any time.

Attorneysecret keyactivatesActivated for this requestRead-onlyTime-limitedRevocablepresents atFinancial Institution
Activation authorizes one scoped request - not standing access to the account.

In short: OAuth2 lets an invitee say "yes, this attorney may view these specific records" without ever handing over their banking credentials, and lets them say "no" again later by revoking the grant.

Plaid is the financial data network that makes this possible - it connects banks, brokerages, and fintech apps under a shared set of agreements and APIs. See who uses Plaid on Plaid's own site.