Data handling and encryption are key pillars of the Belvo platform
Encryption built from scratch with bank-grade standards
Belvo was designed from the ground up to store and encrypt banking credentials. We use strong symmetric encryption algorithms, with timestamping and anti-tampering capabilities. For symmetric encryption and credentials storage, we use the battle-tested AES cypher. For message authentication, we use HMAC and SHA256.
At all point in time, Belvo encrypts data in-flight and at rest using strong encryption. The following diagram illustrates the link creation flow and the encryption capabilities implemented by Belvo:
Additional encryption capabilities
We offer our clients a set of possibilities to comply with any data security policy they have implemented:
- The basic setup involves Belvo storing and encrypting end users passwords with our own safe keys. Data is always stored encrypted. In this case, belvo takes all of the responsibility for credentials storage.
- The second option is to provide an encryption key that Belvo doesn’t store and only our client knows as part of API calls.
This is an extra layer of security we offer our clients if they decide to use it. In this case, Belvo will encrypt the data with the client key, after which the key will be discarded. Belvo will have no way to decrypt this data unless a key is passed as part of an API call.
In this case, the client has the responsibility to store the encryption key, and belvo will store the encrypted credentials which will be inaccessible to anybody but the client.
This operational mode is currently not compatible with recurrent links. See also our documentation on the encryption key parameter here . This operational mode is currently not compatible with recurrent links
Enterprise-grade compliance
We use bank-grade security standards to protect your account information and to protect your privacy. We adhere to and comply with privacy, security and regulatory best practices and are also in the process of becoming PCI-DSS and ISO certified at various levels.
Or security partners
Belvo collaborates with and is a paid customer of reputed security organizations, such as:
27001 – vanta.com
Best-in-class security infrastructure
Where is Belvo’s infrastructure hosted?
Our infrastructure is hosted on Amazon Web Services (AWS). AWS is currently the golden standard in terms of datacenter security and availability, with strict access control measures and multiple redundancies that guarantee the uninterrupted operations of Belvo’s services.
We deploy our infrastructure in 3 redundant datacenter, and have an automated, zero-downtime failover mechanisms in the unlikely case of a datacenter outage.
Our Datacenters comply with major compliance and regulation programs, including ISO 27001, PCI-DSS and SOC 2.
Transmission security is at the core of our infrastructure
All data served over our REST API uses HTTPS. Data is always encrypted in-transit and at rest. We follow SSL best practices, including HSTS and TLS cypher suite configuration. Belvo scores a A+ in the Qualys SSL test.
Highly-rigorous standards in product and corporate security
Some examples include:
- Industry leading, AI-powered Web Application Firewalls (WAF) deployed in front of all of our infrastructure
- Strong data encryption, both at-rest and in-transit.
- Data encryption using strong AES symmetric Cryptography
- Adherence to NIST guidelines regarding secure Cryptography
- Company-wide Information Security Policies
- Company-wide security trainings
- 2-factor authentication for all internal systems
- Regular penetration tests performed by third-party firms
- Extensive security signals monitoring and real-time alerting
- Option to use customer-owned encryption keys instead of Belvo’s own keys exposed in our APIs and SDKs
Additionally, belvo shares a Consensus Assessments Initiative Questionnaire Lite (CAIQ-Lite) as a mechanism to share its security posture in an easy and understandable language, providing transparency over our security control.
Superior technology in data extraction at the cornerstone of our platform’s security
How does Belvo connect with data sources to retrieve data?
Belvo employs proprietary technology and takes a novel approach to data retrieval and normalization at scale. Our technology relies on accessing the underlying APIs used by mobile banking apps and online banking websites. This is in contrast with screen scraping, which is a less sophisticated approach relying on mimicking website navigation – which is slower, more fragile and prone to errors.
The benefits of our approach include:
- Performance and speed. We offer best in class performance and sync speed, thanks to direct API connections.
- Reliability. Belvo is less susceptible to changes that happen on the websites and frontend interfaces of the data sources we connect to.
- Success rates. We are able to offer an overall superior data retrieval success rate thanks to our direct API-driven approach.
Questions about security?
If you have any additional questions about security at Belvo, please contact security@belvo.com.
