Data handling and encryption are key pillars of the Belvo platform
Encryption built from scratch with bank-grade standards
Belvo is a safe platform that was designed from the ground up to store and encrypt banking credentials. We use strong symmetric encryption algorithms, with timestamping and anti-tampering capabilities. For symmetric encryption and credentials storage, we use the battle-tested AES cipher. For message authentication, we use HMAC and SHA256.
At all points in time, Belvo encrypts data in-flight and at rest using strong encryption. The following diagram illustrates the link creation flow and the encryption capabilities implemented by Belvo:
Additional encryption capabilities
We offer our clients a set of possibilities to comply with any data security policy they have implemented:
- The basic setup involves Belvo storing and encrypting end users passwords with our own safe keys. Data is always stored encrypted. In this case, belvo takes all of the responsibility for credentials storage.
- The second option is to provide an encryption key that Belvo doesn’t store and only our client knows as part of API calls.
This is an extra layer of security we offer our clients if they decide to use it. In this case, Belvo will encrypt the data with the client key, after which the key will be discarded. Belvo will have no way to decrypt this data unless a key is passed as part of an API call.
In this case, the client has the responsibility to store the encryption key, and Belvo will store the encrypted credentials which will be inaccessible to anybody but the client.
This operational mode is currently not compatible with recurrent links. See also our documentation on the encryption key parameter here. This operational mode is currently not compatible with recurrent links
Enterprise-grade compliance: ISO 27001
As part of our commitment towards best-in-class international security standards, we use bank-grade security standards and we adhere to and comply with privacy, security, and regulatory best practices.
Belvo has obtained a certificate of registration that assesses the company’s conformity with the requirements of ISO/IEC 27001:2013, the most rigorous global security standard for information security management systems (ISMS).
This ISO 27001 certificate, issued by an external auditor, acknowledges that Belvo complies with more than 100 security requirements for the safe implementation of an ISMS defined by ISO.
These include a set of processes, policies, and mechanisms that guarantee the confidentiality, integrity, and availability of the company’s data at all times.
ISO 27001 covers all of our company’s operations, including all product lines, processes, human resources security, data management, communications, and supply chain management.
The company is also in the process of becoming PCI-DSS certified.
Best-in-class security infrastructure
Where is Belvo’s infrastructure hosted?
Our infrastructure is hosted on Amazon Web Services (AWS). AWS is currently the gold standard in terms of data center security and availability, with strict access control measures and multiple redundancies that guarantee the uninterrupted operations of Belvo’s services.
We deploy our infrastructure in three redundant data centers and have an automated, zero-downtime failover mechanism in the unlikely case of a data center outage.
Our Datacenters comply with major compliance and regulation programs, including ISO 27001, PCI-DSS, and SOC 2.
Transmission security is at the core of our infrastructure
All data served over our REST API uses HTTPS. Data is always encrypted in transit and at rest. We follow SSL best practices, including HSTS and TLS cipher suite configuration. Belvo scores an A+ in the Qualys SSL Test.
Highly-rigorous standards in product and corporate security
Some examples include:
- Industry leading, AI-powered Web Application Firewalls (WAF) deployed in front of all of our infrastructure
- Strong data encryption, both at-rest and in-transit.
- Data encryption using strong AES symmetric Cryptography
- Adherence to NIST guidelines regarding secure Cryptography
- Company-wide Information Security Policies
- Company-wide security trainings
- 2-factor authentication for all internal systems
- Regular penetration tests performed by third-party firms
- Extensive security signals monitoring and real-time alerting
- Option to use customer-owned encryption keys instead of Belvo’s own keys exposed in our APIs and SDKs
Superior technology in data extraction at the cornerstone of our platform’s security
How does Belvo connect with data sources to retrieve data?
Belvo employs proprietary technology and takes a novel approach to data retrieval and normalization at scale. Our technology relies on accessing the underlying APIs used by mobile banking apps and online banking websites. This is in contrast with screen scraping, which is a less sophisticated approach relying on mimicking website navigation – which is slower, more fragile, and prone to errors.
The benefits of our approach include:
- Performance and speed. We offer best in class performance and sync speed, thanks to direct API connections.
- Reliability. Belvo is less susceptible to changes that happen on the websites and frontend interfaces of the data sources we connect to.
- Success rates. We are able to offer an overall superior data retrieval success rate thanks to our direct API-driven approach.
Questions about security?
If you have any additional questions about security at Belvo, please contact security@belvo.com.
