Security is at the heart of everything we do
Akoya was founded to promote a safer, more secure method for sharing financial data.
Our approach to security
Akoya uses the National Institute of Standards (NIST) Cybersecurity Framework and Center for Internet Security (CIS) principles to guide and establish our overall security program. This includes documented policies, standards, controls, and commitments to satisfy the requirements defined in each policy.
The Akoya Information Security team manages our information security policy portfolio and its lifecycle management, including policy creation, changes, approvals, exceptions, and removal.
The goals of Akoya’s cybersecurity and risk program include:
- Safeguarding the preservation of confidentiality, integrity, and availability of Akoya systems and information
- Protecting customers, employees, and the Akoya business
- Ensuring Akoya’s reputation as a trusted service provider is upheld
A complex industry threat environment requires a solid and pervasive security platform design and implementation. Akoya faces these security challenges by creating a cybersecurity strategy with the following focus areas:
- Cloud security
- Application security
- Employee device and remote access security
- Strong access controls
- Encryption of data at rest and in transit
- Disaster recovery and resiliency
- Vulnerability and incident management
- Breach response
- Training and awareness programs
Akoya uses risk management frameworks, governance, assessments, and threat management. We perform a predictive cyber threat model annually. Threats are ranked based on existing prevention, protection, detection controls, and secondary intelligence.
The Akoya risk management program covers critical focus areas, including data protection, service availability and resiliency, information and service integrity, 3rd-party risk, and privacy and compliance.
Within the company, Akoya continually identifies and evaluates the top internal and external threats to the firm. The assessment specifies the controls, gaps, and planned actions to allow Akoya to manage the risks appropriately. The risk assessment is reviewed at least semi-annually.
Our threat matrix utilizes:
- National Institute of Standards (NIST) Cybersecurity Framework and Special Publication 800:53
- ISO 31000:2013 standards
- Committee of Sponsoring Organizations (COSO) Framework
Akoya’s security policies are the guiding principles and requirements to secure and protect information assets and support Akoya’s business objectives while meeting legal, regulatory, and privacy requirements. The areas below outline our most critical controls, including the following areas:
Akoya is SOC 2 Type II certified. System and Organization Controls (SOC), defined by the American Institute of Certified Public Accountants (AICPA), is a suite of reports produced during an audit. Akoya’s initial SOC 2 Type II covers COSO Controls and Security and Confidentiality Trust Service Principles, described as follows:
To request our SOC 2 Type II report, please contact us.
Incident response, business resiliency, and disaster recovery
Akoya maintains a framework for managing cyber events, data breaches, platform outages, internal system incidents, and business disruptions.
Vulnerability and incident management
We maintain controls to prevent malicious, unauthorized, and unintended activity that could impair our normal operations. Scanning and testing are regularly performed on all operating systems, network devices, and applications. Controls regarding remediation, patching, and reporting are defined and implemented.
Incident management requirements to minimize disruption in confidentiality, integrity, availability, and resiliency include investigation, escalation, timeline, documentation, notification, and lessons learned.
Our breach response procedure requires Akoya to:
- Define the data/cyber breach
- Provide a consistent framework to contain and mitigate cybersecurity incidents
- Maintain an incident management policy and process
Disaster recovery and resiliency
Akoya runs in multiple AWS regions with multiple availability zones. Parts are identical, deploying the same platform and application artifacts. Recovery Time Objective (RTO)/Recovery Point Objective (RPO) is four (4) hours, with testing performed annually.
Trusted by hundreds of financial institutions for secure financial data access
Akoya optimizes for security, transparency, and scalability. Our passthrough model does not copy, store, or hold any customer information. All outputs follow the Financial Data Exchange (FDX) API standard.
We require all fintechs and data aggregators using Akoya to pass a rigorous, regularly reviewed security and risk assessment. We also ensure our network meets the highest security standards by successfully completing regular security audits, including the SOC 2 Type II attestation.
"The data recipients that the customer authorizes to connect to their U.S. Bank account through Akoya will receive authorized and permissioned access to U.S. Bank customer data, all while giving consumers the confidence that their data is safe and secure."
"Partnering with Akoya gives hundreds of community banks and credit unions the ability to bring more fintech apps within their own ecosystem and empower consumers to better control their data privacy and security."