Akoya’s mission is to create trust among consumers, financial institutions, and fintechs to foster mass participation in Open Finance. By helping to transition data aggregation toward application programming interface (API)-based data access, we enable consumers to control access to their information and facilitate seamless integration between fintechs and financial institutions.
Benefits of Akoya’s network include but are not limited to the following:
Akoya was established to reduce the data privacy and security risks associated with traditional financial data aggregation, so naturally security is at the heart of everything we do. Our efforts are focused on implementing the Consumer Financial Protection Bureau’s Consumer Protection Principles. These guidelines ensure that consumer-authorized use of financial data is handled in a manner that fosters innovation and protects the consumer.
Akoya’s network is optimized for security, transparency, and scalability. Our passthrough model does not copy or store any consumer information, and all outputs follow the Financial Data Exchange (FDX) API standard. All fintechs must pass a rigorous security and risk assessment prior to using Akoya’s network; moreover, these assessments are reviewed regularly and made readily available to financial institutions. We also ensure our network meets the highest security standards, validated through regular security audits such as SOC 2 Type 2 attestation.
Today’s highly complex, hostile threat environments call for a comprehensive security architecture. Akoya addresses these security challenges by creating a cybersecurity strategy focusing on the following areas:
Risk Management
Application Security
Information classification and handling
Personnel security
Least privileges and segregation of duties
Encryption of data at rest and in transit
Business resiliency and disaster recovery
Vulnerability and incident management
Independent validation
Training and awareness programs
Akoya Security Controls
Akoya’s security practices embody the guiding principles for securing and protecting information assets, while at the same time supporting Akoya’s business objectives and meeting legal, regulatory, and privacy requirements.
Risk Management |
Akoya uses an array of risk management frameworks, governance, assessments, and threat management solutions for continuously verifying and bolstering our cyber risk posture. |
Infrastructure Security |
Infrastructure systems and services are designed with controls commensurate with their service criticality, implemented using a defense-in-depth and diversity of defense approach. |
Data Security |
Consumer information is encrypted with internationally recognized protocols and algorithms such as TLS and AES. |
Access Management |
Akoya’s core security principles incorporate role-based access control (RBAC) and a least-privilege access model. |
Software Development Security |
Akoya uses a secure, repeatable development methodology for all development processes, to include specific coding practices and training, testing, and validation. |
Disaster Recovery and Resilience |
Akoya’s services are hosted in multiple geographic locations. Additionally, redundant systems are deployed in each location with 24x7 monitoring, automatic scaling, and failover. |
Incident Management |
Akoya maintains a framework for identifying, investigating, containing, reporting, mitigating, and minimizing the impact of potential security incidents. |
Compliance and Independent Validation |
Akoya’s security program and network are evaluated by financial institutions, independent penetration testers, and audit firms. Akoya also maintains a SOC 2 Type II report to demonstrate our compliance with the SOC 2 standards for security and confidentiality. |
This paper is intended to provide an overview of Akoya’s security program. Our policies are living documents that are regularly reviewed and updated to adapt to evolving business, regulatory, technology, and security requirements. Akoya is continuously improving its processes, procedures, and controls previously outlined in this document, as well as adding new security measures on an ongoing basis to protect against any new and unanticipated cyber threats.