Civil Rule 26 .Com never asks for or stores an invitee's online banking username or password. Instead, Plaid - the data broker described on the Where the Data Is Stored page - handles the OAuth2-style handshake between the invitee, their financial institution, and the requesting attorney.
Before any data moves, three separate agreements have to be in place. The attorney requests access and the invitee consents to share it. The invitee authorizes their financial institution to work with Plaid. Plaid, in turn, issues the attorney a scoped access token. No single party can shortcut the other two.
When the invitee grants access, they enter their username and password directly on their financial institution's own login page. That key moves in exactly one direction - from the invitee to their institution - and it is never shared with Plaid, the attorney, or Civil Rule 26 .Com.
Once the institution approves, Plaid issues the attorney an access token - a secret key that only works for this one request. Activating it does not hand over the invitee's login; it authorizes a single read-only, time-limited pull of the records the invitee agreed to share, and the invitee can revoke it at any time.
In short: OAuth2 lets an invitee say "yes, this attorney may view these specific records" without ever handing over their banking credentials, and lets them say "no" again later by revoking the grant.
Plaid is the financial data network that makes this possible - it connects banks, brokerages, and fintech apps under a shared set of agreements and APIs. See who uses Plaid on Plaid's own site.