Our security program is aligned to the ISO 27001 standards and is regularly audited and assessed by third parties and customers.
Personnel security practices apply to all employees at Cybrilla, who have direct or indirect access to Fintech Primitives internal information systems (“systems”). All employees are required to understand and follow internal policies and standards. Before gaining initial access to systems, all employees must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Upon termination of work at Cybrilla, all access to internal systems is removed immediately.
Fintech Primitives evaluates the design and operation of its overall ISMS for compliance with internal and external standards. Fintech Primitives engages credentialed assessors to perform external audits at least once per year. Audit results are shared with senior management and all findings are tracked to resolution.
Fintech Primitives employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. These professionals review products and features for compliance with applicable legal and regulatory requirements.
Fintech Primitives adheres to the cyber practices laid down by SEBI for mutual fund distributors and AMCs. This ensures that the platform is up to date in compliance from the regulator’s perspectives as well.
The focus of the security program at Fintech Primitives is to prevent unauthorized access to customer data. For the same, we take exhaustive steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve.
The following data points are extremely critical and all the policies are devised to handle the confidentiality, integrity and availability of this data.
All tenants are mandatorily required to create an HMAC authentication token to access the production environment.
All data transmitted between Fintech Primitives customers and the Fintech Primitives service is done so using strong encryption protocols. Fintech Primitives supports the latest recommended secure cipher algorithms to encrypt all traffic in transit like AES-256-CBC. All the APIs are accessed only via HTTPS SSL encryption.
Data at rest in Fintech Primitives production network is stored in an encrypted format, which applies to all types of data at rest within Fintech Primitives systems—relational databases, file stores, database backups, etc. All encryption keys are stored in a secure server on a segregated network with very limited access. Fintech Primitives has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.
Each Fintech Primitives customer’s data is hosted in our shared infrastructure and logically separated from other customers’ data. We use a combination of storage technologies like Amazon RDS to ensure customer data is protected from hardware failures and returns quickly when requested. We have also configured RDS in Multi-AZ to have enhanced availability and durability (Each AZ is physically independent and engineered to be highly reliable). The Fintech Primitives service is hosted in data centers maintained by the industry-leading service provider (AWS), offering state-of-the-art physical protection for the servers and infrastructure that comprise the Fintech Primitives operating environment.
Fintech Primitives uses both internal and external monitoring services to monitor the platform services. Administrative access, use of privileged commands, and system calls on all servers in the production network are logged and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. All production logs are stored in a separate network that is restricted to only the relevant security personnel. Fintech Primitives supports the latest stack available for monitoring services including but not restricted to ELK stack for log analysis, Amazon cloudwatch to monitor the infrastructure and Monitis for external API uptime monitoring.
Fintech Primitives uses Amazon AWS platform and infrastructure. Physical security is guided by the AWS policies around it. In addition to the physical security, being on AWS also provides us with significant protection against the network security issues like
To minimize the risk of data exposure, Fintech Primitives adheres to the principle of least privilege and role-based permissions when provisioning access. Employees are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities. All production access is reviewed at least quarterly. The provisioning activities include performance of all activities on a remote AWS server, masking of all sensitive data points and access through a white labelled IP address.
Each customer is treated as a separate tenant that has a separate database and an independent access control to access the associated data.
Fintech Primitives utilizes services deployed by its hosting provider (AWS) to ensure backup and recovery of applications and data respectively. We have incorporated various approaches like the following but not limited to -
Fintech Primitives has an existential interest in protecting your data. Every person, team, and organization deserves and expects their data to be secure and confidential. Safeguarding this data is a critical responsibility we have to our customers, and we continue to work hard to maintain that trust.