Security and Compliance

In our cloud environment, we encrypt all data both at rest and during transmission using the best security algorithms such as RSA2048 and AES256. Data sent to or from our infrastructure is encrypted during transmission using industry best practices, using Transport Layer Security (TLS). At rest, all data is encrypted using proven encryption algorithms and stored using secret management services.

By using end-to-end encryption at every stage — at rest, during transmission, or in cloud storage — FinExity services ensure that your data is always safe and secure. Of course, metadata communication between your system and FINEXITY is also encrypted and therefore absolutely secure.

According to the European General Data Protection Regulation of 2018, personal data, particularly with regard to health and wealth, is the property of the person for whom it is intended, and consent to the processing and transfer of this data must be given “freely, specifically and with knowledge of the facts.”

Our work on security and privacy has no end, but is a continuous cycle of research, revision, implementation, testing, fixes, scaling, blocking, and approval. We are constantly working to meet and exceed the requirements of regulators, investors, partners, and users, and we all live the security processes on a daily basis. Security and privacy are an integral part of our corporate culture. After all, security is one of the most elementary components of our services.

All authorized user data at FINEXITY is available to our customers for download until their account is deleted independently. In the case of fixed-term contracts, all user data is available for electronic retrieval for a period of 30 days after expiry or termination of the Master Service Agreement. All data is then completely removed from the FINEXITY servers. Read more about our privacy settings.

The applications developed by FINEXITY and the backend infrastructure, the main entry points for user data, only allow client requests via strong TLS protocols. All communication between the infrastructure maintained by FINEXITY and the data platforms is transmitted via encrypted tunnels.

All of our services run in cloud environments. We don't host or operate our own routers, load balancers, DNS servers, or physical servers. The cloud providers we use regularly undergo an independent review of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others.

Protecting customer data from modern threats means that products developed using our services must be designed with security in mind. The following practices ensure the highest level of security in our software:

• Applying the Secure Software Development Life Cycle (S-SDLC), which focuses on integrating security into the development cycle
• Develop and continuously maintain a corporate culture that is committed to safety
• Developers regularly attend security training courses to learn about common vulnerabilities, threats, and best practices for secure programming.
• We check our code for security vulnerabilities
• We regularly update our backend infrastructure and software and ensure that there are no known security vulnerabilities.
• We use static application testing (SAST) and dynamic application testing (DAST) to identify fundamental security vulnerabilities in our code base.

Our solutions for monitoring and protecting application security enable us to detect attacks:

• Detect attacks and respond quickly to a data breach
• Monitor exceptions and logs and detect anomalies in our applications, collect and store logs to create an audit trail of our applications' activities
• We also use a run-time protection system that identifies and blocks web attacks and business logic attacks in real time, and security headers to protect our users from attacks.

Our network consists of multiple security zones, which we monitor and protect with trusted firewalls and next-generation firewalls, including IP address filtering, to prevent unauthorized access. We use an intrusion detection and/or prevention (IDS/IPS) solution that monitors and blocks potentially malicious packets, and distributed denial of service (DDoS) mitigation services backed by an industry-leading solution.

If you discover vulnerabilities in our application or infrastructure, please alert our team by contacting security@finexity.com and including a proof of concept with your email. We will respond to your report as quickly as possible and will not take legal action if you follow the responsible disclosure process: security@finexity.com wenden und Ihrer E-Mail einen Konzeptnachweis beifügen. Wir werden so schnell wie möglich auf Ihre Meldung reagieren und keine rechtlichen Schritte einleiten, wenn Sie den Prozess der verantwortungsvollen Offenlegung befolgen:

Please avoid automated testing and perform security tests using only your own data. Please include a proof of concept with your email.Don't disclose information about the vulnerabilities until you have received clear approval.