Security and Compliance
Effective Date: June 30, 2024Protecting personal and confidential customer information is our top priority. In the interest of our customers, our business ethics, and our values, we make no compromises when it comes to data security. As part of this commitment, we work with the highest level of transparency. The following overview provides an overview of our constantly evolving security measures.
Protecting personal and confidential customer information is our top priority. In the interest of our customers, our business ethics, and our values, we make no compromises when it comes to data security. As part of this commitment, we work with the highest level of transparency. The following overview provides an overview of our constantly evolving security measures.
We comply with the highest security and privacy standards
General Data Protection Regulation (GDPR) - FINEXITY is advised monthly by an external auditor from the German Society for Data Protection on compliance with GDPR regulations. By complying with the GDPR, we are demonstrating our commitment to protecting personal data and enforcing a consent-based process for processing personal data. With the expected ISO 27001 certification in 2024, we are also increasing technical security and ensuring seamless, legally compliant use of IT in our organization. The requirements of the ISO Directive are already considered the highest maxim of our entrepreneurial activities. Together with an external auditor, we discuss on a weekly basis how we can protect FINEXITY even better against information security threats.
Our encryption protocols comply with national security regulations
In our cloud environment, we encrypt all data both at rest and during transmission using the best security algorithms such as RSA2048 and AES256. Data sent to or from our infrastructure is encrypted during transmission using industry best practices, using Transport Layer Security (TLS). At rest, all data is encrypted using proven encryption algorithms and stored using secret management services.
By using end-to-end encryption at every stage — at rest, during transmission, or in cloud storage — FinExity services ensure that your data is always safe and secure. Of course, metadata communication between your system and FINEXITY is also encrypted and therefore absolutely secure.
Our consent-based process gives you control over your personal and protected asset data.
According to the European General Data Protection Regulation of 2018, personal data, particularly with regard to health and wealth, is the property of the person for whom it is intended, and consent to the processing and transfer of this data must be given “freely, specifically and with knowledge of the facts.”
We're constantly evolving our security measures to keep pace with the changing threat landscape
Our work on security and privacy has no end, but is a continuous cycle of research, revision, implementation, testing, fixes, scaling, blocking, and approval. We are constantly working to meet and exceed the requirements of regulators, investors, partners, and users, and we all live the security processes on a daily basis. Security and privacy are an integral part of our corporate culture. After all, security is one of the most elementary components of our services.
The storage and deletion of data is standardized and is at the discretion of our users
All authorized user data at FINEXITY is available to our customers for download until their account is deleted independently. In the case of fixed-term contracts, all user data is available for electronic retrieval for a period of 30 days after expiry or termination of the Master Service Agreement. All data is then completely removed from the FINEXITY servers. Read more about our privacy settings.
We establish strong defense mechanisms at entry points
The applications developed by FINEXITY and the backend infrastructure, the main entry points for user data, only allow client requests via strong TLS protocols. All communication between the infrastructure maintained by FINEXITY and the data platforms is transmitted via encrypted tunnels.
We take all necessary infrastructure measures
All of our services run in cloud environments. We don't host or operate our own routers, load balancers, DNS servers, or physical servers. The cloud providers we use regularly undergo an independent review of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others.
Secure code: transparent development with security in mind
Protecting customer data from modern threats means that products developed using our services must be designed with security in mind. The following practices ensure the highest level of security in our software:
- Applying the Secure Software Development Life Cycle (S-SDLC), which focuses on integrating security into the development cycle
- Develop and continuously maintain a corporate culture that is committed to safety
- Developers regularly attend security training courses to learn about common vulnerabilities, threats, and best practices for secure programming.
- We check our code for security vulnerabilities
- We regularly update our backend infrastructure and software and ensure that there are no known security vulnerabilities.
- We use static application testing (SAST) and dynamic application testing (DAST) to identify fundamental security vulnerabilities in our code base.
Our solutions for monitoring and protecting application security enable us to detect attacks:
- Detect attacks and respond quickly to a data breach
- Monitor exceptions and logs and detect anomalies in our applications, collect and store logs to create an audit trail of our applications' activities
- We also use a run-time protection system that identifies and blocks web attacks and business logic attacks in real time, and security headers to protect our users from attacks.
We practice rigorous network-level security monitoring and protection
Our network consists of multiple security zones, which we monitor and protect with trusted firewalls and next-generation firewalls, including IP address filtering, to prevent unauthorized access. We use an intrusion detection and/or prevention (IDS/IPS) solution that monitors and blocks potentially malicious packets, and distributed denial of service (DDoS) mitigation services backed by an industry-leading solution.
We promote responsible disclosure
If you discover vulnerabilities in our application or infrastructure, please alert our team by contacting security@finexity.com and including a proof of concept with your email. We will respond to your report as quickly as possible and will not take legal action if you follow the responsible disclosure process: security@finexity.com wenden und Ihrer E-Mail einen Konzeptnachweis beifügen. Wir werden so schnell wie möglich auf Ihre Meldung reagieren und keine rechtlichen Schritte einleiten, wenn Sie den Prozess der verantwortungsvollen Offenlegung befolgen:
Please avoid automated testing and perform security tests using only your own data. Please include a proof of concept with your email.Don't disclose information about the vulnerabilities until you have received clear approval.