Security is at the heart of everything we do

Akoya promotes a safer, more secure method for sharing financial data.

Graphic depicting account data being transformed to tokens through Akoya

Our approach to security

Akoya uses the National Institute of Standards (NIST) Cybersecurity Framework and Center for Internet Security (CIS) principles to guide and establish our overall security program. This includes documented policies, standards, controls, and commitments to satisfy the requirements defined in each policy.

The Akoya Information Security team manages our information security policy portfolio and its lifecycle management, including policy creation, changes, approvals, exceptions, and removal.

logo-NIST logo-CIS

The goals of Akoya’s cybersecurity and risk program include:

  • Safeguarding the preservation of confidentiality, integrity, and availability of Akoya systems and information
  • Protecting customers, employees, and the Akoya business
  • Ensuring Akoya’s reputation as a trusted service provider is upheld


A complex industry threat environment requires a solid and pervasive security platform design and implementation. Akoya faces these security challenges by creating a cybersecurity strategy with the following focus areas: 

  • Cloud security
  • Application security
  • Employee device and remote access security
  • Strong access controls
  • Encryption of data at rest and in transit
  • Disaster recovery and resiliency
  • Vulnerability and incident management
  • Breach response
  • Training and awareness programs

Risk management

Akoya uses risk management frameworks, governance, assessments, and threat management. We perform a predictive cyber threat model annually. Threats are ranked based on existing prevention, protection, detection controls, and secondary intelligence.

The Akoya risk management program covers critical focus areas, including data protection, service availability and resiliency, information and service integrity, 3rd-party risk, and privacy and compliance.

Within the company, Akoya continually identifies and evaluates the top internal and external threats to the firm. The assessment specifies the controls, gaps, and planned actions to allow Akoya to manage the risks appropriately. The risk assessment is reviewed at least semi-annually.  

Our threat matrix utilizes:

  • Picture of NIST logo National Institute of Standards (NIST) Cybersecurity Framework and Special Publication 800:53
  • Picture of ISO logo ISO 31000:2013 standards
  • Picture of COSO logo Committee of Sponsoring Organizations (COSO) Framework

Security controls 

Akoya’s security policies are the guiding principles and requirements to secure and protect information assets and support Akoya’s business objectives while meeting legal, regulatory, and privacy requirements. The areas below outline our most critical controls, including the following areas:

  • Personnel security
  • Physical security
  • Infrastructure security
  • Software development security
  • 3rd-party management
  • Security testing
For more detailed information about our security controls, check out our cybersecurity whitepaper. Read here


Akoya is SOC 2 Type II certified. System and Organization Controls (SOC), defined by the American Institute of Certified Public Accountants (AICPA), is a suite of reports produced during an audit. Akoya’s initial SOC 2 Type II covers COSO Controls and Security and Confidentiality Trust Service Principles, described as follows: 

Untitled (1)


The system is protected against unauthorized access, use, or modification.


Information designated as confidential is protected as committed or agreed.

Akoya is HIPAA compliant and ensures the implementation of all technical, administrative, and physical safeguards to protect healthcare related financial information transmitted through the Akoya Data Access Network.

To learn more about our compliance standards or to request our SOC 2 Type II report, please contact us.

Incident response, business resiliency, and disaster recovery

Akoya maintains a framework for managing cyber events, data breaches, platform outages, internal system incidents, and business disruptions.

Graphic depicting financial institutions and banks number of connections

Vulnerability and incident management

We maintain controls to prevent malicious, unauthorized, and unintended activity that could impair our normal operations. Scanning and testing are regularly performed on all operating systems, network devices, and applications. Controls regarding remediation, patching, and reporting are defined and implemented.

Incident management requirements to minimize disruption in confidentiality, integrity, availability, and resiliency include investigation, escalation, timeline, documentation, notification, and lessons learned. 


Breach response

Our breach response procedure requires Akoya to:

  • Define the data/cyber breach
  • Provide a consistent framework to contain and mitigate cybersecurity incidents
  • Maintain an incident management policy and process

Trusted by hundreds of financial institutions for secure financial data access

"The data recipients that the customer authorizes to connect to their U.S. Bank account through Akoya will receive authorized and permissioned access to U.S. Bank customer data, all while giving consumers the confidence that their data is safe and secure." 

Gareth Gaston EVP & Chief Digital Officer, Enterprise Platforms & Capabilities

"Partnering with Akoya gives hundreds of community banks and credit unions the ability to bring more fintech apps within their own ecosystem and empower consumers to better control their data privacy and security."

Ben Metz Chief Technology Officer and Chief Digital Officer
Learn more about Akoya for institutions