Operational Framework

Security

8min

The importance of security and compliance will continue to grow as more companies adopt fintech technologies. GO is an exceptional platform that offers a seamless and secure onboarding experience for users, all without requiring any coding expertise. With GO, banks/NBFCs can quickly and easily create and deploy user-friendly onboarding flows that are tailored to their specific needs.

A significant advantage of GO is its security. With built-in security features and advanced encryption protocols, they can be confident that their users' data is protected at all times. This not only provides peace of mind for them and their customers but also helps to build trust and credibility for their brand.

Attributes checked by GO at all stages

1.VPC Environment Security

In a public cloud environment, one way to provide extra security for customers’ data is to create a virtual private cloud (VPC). A VPC provides on-demand configurable pools of shared resources, which separates customers’ data from that of other customers. There are:

  • Two-factor Authentication enabled in the VPC environment.
  • Disk-level encryption with RSA 2048-bit encryption.
  • SSH keys are generated for each Unique User which is destroyed in case of their departure. SSH Keys are not reused.
  • Centralized Key Management done by the Signzy IT Team. Monitoring & logging for User Activity is enabled.

2. Application Process Security

  • There is no direct access from the user interface layers to the database layers.
  • Applications & Systems are ISMS Audited and compliant with ISO 27001 guidelines.
  • Application executable files and source code are restricted from unauthorized access.
  • Session timeouts can be set as per office hours and Logins can be restricted.
  • Privilege and Access Management are in place for grants and access rights of the users.
  • Password Management Policy in place. Password complexity, auto expiry, lock-out basis designated invalid attempts, lockout timer, first-time change & secure reset option, etc. can be configured before implementation.
  • Security logging: Security events, audit trails, and logs for administrators and user activity are enabled to monitor and detect suspicious activity.Β 
  • Application Security: Signzy can provide, maintain, and support its software and subsequent updates, upgrades, and bug fixes such that the software is and remains secure from vulnerabilities.
  • IP Whitelisting: Signzy has the capability of IP whitelisting to restrict platform access from a limited number of known locations / IP addresses both for accessing the service as well as for accessing Platform administrative consoles.

3. Connectivity Security

  • TLS 1.2 protocol is recommended for all communication.
  • Endpoint Firewall enabled on each server.

Understanding TLS

The Transport Layer Security (TLS) protocol, like Secure Sockets Layer (SSL), encrypts data before it is sent over a network. To learn more about TLS and how to enable it, click here.Β 

What is an Endpoint Firewall

An Endpoint web application firewall (Endpoint WAF) runs within the application itself. It is aware of the software used inside the website and understands how it's built. An Endpoint firewall understands how the software used inside the website works and who the visitors are by their permissions and whether they are authenticated or not.Β 

4. DB Cluster

  • Each Cluster is assigned a unique SSH Key (RSA 2048-bit encryption algorithm).
  • Access to each DB is controlled by its own unique set of credentials.
  • Action permissions for every User in DB are limited by the principle of least privileges (Read & Write).

5. Data Storage

  • The data storage location is governed by local regulations. Storage options are available currently in India only, to comply with regional data privacy laws.
  • Custom configuration with respect to TTL can be performed as per the customer's requirements.
  • The Data Purge API can be customized to meet the specific needs of each customer, allowing for the automated deletion of data based on individual configuration preferences. Additionally, there is no need for explicit API calls, as the API can be scheduled to run automatically through the use of a Cron configuration.Β 

6. Automated Backup

  • Audit logs are backed up daily to an external & isolated Signzy-owned access-controlled Amazon S3 Bucket.
  • Our storage duration for PII data is defined by regulatory mandates. PII data are not automatically backed up due to regulatory compliance reasons. It is possible to have this enabled for a single Client.

Getting help

Please feel free to contact us if you have any questions, require clarification, or have ideas for how to make the documents or any of our services better.

You can reach out to us at [email protected].

ο»Ώ

Updated 13 Feb 2024
Did this page help you?
PREVIOUS
IT Governance and Risk Management
NEXT
Data Security Attributes
Docs powered byΒ Archbee