Blog

Akoya's approach to security

Written by Akoya | Nov 7, 2022 9:34:03 PM

Akoya’s Mission 

Akoya’s mission is to create trust among consumers, financial institutions, and fintechs to foster mass participation in Open Finance. By helping to transition data aggregation toward application programming interface (API)-based data access, we enable consumers to control access to their information and facilitate seamless integration between fintechs and financial institutions.

Benefits of Akoya’s network include but are not limited to the following: 

  • A single integration with Akoya allows financial institutions to enable API connections with multiple fintechs, eliminating costly maintenance and development efforts. 

  • Akoya handles all downstream fintech relationships (agreements, due diligence, monitoring, etc.) on behalf of the financial institution. 

  • Consumers utilize the financial institutions portal to grant, modify, or revoke access to their financial data.

  • Improve security and privacy by eliminating the need for fintechs to store the consumers' banking credentials.

  • Eliminate the technology and access issues associated with screen scraping.

Akoya’s Approach to Security 

Akoya was established to reduce the data privacy and security risks associated with traditional financial data aggregation, so naturally security is at the heart of everything we do. Our efforts are focused on implementing the Consumer Financial Protection Bureau’s Consumer Protection Principles. These guidelines ensure that consumer-authorized use of financial data is handled in a manner that fosters innovation and protects the consumer. 

Akoya’s network is optimized for security, transparency, and scalability. Our passthrough model does not copy or store any consumer information, and all outputs follow the Financial Data Exchange (FDX) API standard. All fintechs must pass a rigorous security and risk assessment prior to using Akoya’s network; moreover, these assessments are reviewed regularly and made readily available to financial institutions. We also ensure our network meets the highest security standards, validated through regular security audits such as SOC 2 Type 2 attestation. 

Strategy 

Today’s highly complex, hostile threat environments call for a comprehensive security architecture. Akoya addresses these security challenges by creating a cybersecurity strategy focusing on the following areas: 

  • Risk Management

  • Application Security

  • Information classification and handling

  • Personnel security

  • Least privileges and segregation of duties

  • Encryption of data at rest and in transit

  • Business resiliency and disaster recovery

  • Vulnerability and incident management

  • Independent validation

  • Training and awareness programs

Akoya Security Controls 

Akoya’s security practices embody the guiding principles for securing and protecting information assets, while at the same time supporting Akoya’s business objectives and meeting legal, regulatory, and privacy requirements. 

Risk Management

Akoya uses an array of risk management frameworks, governance, assessments, and threat management solutions for continuously verifying and bolstering our cyber risk posture.  

Infrastructure Security

Infrastructure systems and services are designed with controls commensurate with their service criticality, implemented using a defense-in-depth and diversity of defense approach. 

Data Security

Consumer information is encrypted with internationally recognized protocols and algorithms such as TLS and AES.  

Access Management

Akoya’s core security principles incorporate role-based access control (RBAC) and a least-privilege access model.  

Software Development Security

Akoya uses a secure, repeatable development methodology for all development processes, to include specific coding practices and training, testing, and validation.

Disaster Recovery and Resilience

Akoya’s services are hosted in multiple geographic locations. Additionally, redundant systems are deployed in each location with 24x7 monitoring, automatic scaling, and failover.  

Incident Management

Akoya maintains a framework for identifying, investigating, containing, reporting, mitigating, and minimizing the impact of potential security incidents.  

Compliance and Independent Validation

Akoya’s security program and network are evaluated by financial institutions, independent penetration testers, and audit firms.  Akoya also maintains a SOC 2 Type II report to demonstrate our compliance with the SOC 2 standards for security and confidentiality. 

Conclusion 

This paper is intended to provide an overview of Akoya’s security program. Our policies are living documents that are regularly reviewed and updated to adapt to evolving business, regulatory, technology, and security requirements. Akoya is continuously improving its processes, procedures, and controls previously outlined in this document, as well as adding new security measures on an ongoing basis to protect against any new and unanticipated cyber threats.