How Belvo
handles security

Security is a top priority at Belvo. Our platform uses the highest security standards to protect our customers’ account information and their privacy at every step of the process.


Data handling and encryption are key pillars of the Belvo platform

Encryption built from scratch with bank-grade standards

Belvo was designed from the ground up to store and encrypt banking credentials. We use strong symmetric encryption algorithms, with timestamping and anti-tampering capabilities. For symmetric encryption and credentials storage, we use the battle-tested AES cypher. For message authentication, we use HMAC and SHA256.

At all point in time, Belvo encrypts data in-flight and at rest using strong encryption. The following diagram illustrates the link creation flow and the encryption capabilities implemented by Belvo:

Belvo Link Creation Flow

Additional encryption capabilities

We offer our clients a set of possibilities to comply with any data security policy they have implemented:

This is an extra layer of security we offer our clients if they decide to use it. In this case, Belvo will encrypt the data with the client key, after which the key will be discarded. Belvo will have no way to decrypt this data unless a key is passed as part of an API call.

In this case, the client has the responsibility to store the encryption key, and belvo will store the encrypted credentials which will be inaccessible to anybody but the client.

This operational mode is currently not compatible with recurrent links. See also our documentation on the encryption key parameter here . This operational mode is currently not compatible with recurrent links

Enterprise-grade compliance

We use bank-grade security standards to protect your account information and to protect your privacy. We adhere to and comply with privacy, security and regulatory best practices and are also in the process of becoming PCI-DSS and ISO certified at various levels.

Or security partners

Belvo collaborates with and is a paid customer of reputed security organizations, such as:

Vanta’s software and platform prepares ​Belvo Technologies Inc.​ ​to satisfy the criteria for ISO
27001 –
Next-generation WAF, powered by machine learning that protects all of Belvo’s APIs –
Modern & Continuous penetration testing –

Best-in-class security infrastructure

Where is Belvo’s infrastructure hosted?

Our infrastructure is hosted on Amazon Web Services (AWS). AWS is currently the gold standard in terms of datacenter security and availability, with strict access control measures and multiple redundancies that guarantee the uninterrupted operations of Belvo’s services.

We deploy our infrastructure in 3 redundant datacenter, and have an automated, zero-downtime failover mechanisms in the unlikely case of a datacenter outage.

Our Datacenters comply with major compliance and regulation programs, including ISO 27001, PCI-DSS and SOC 2.

Transmission security is at the core of our infrastructure

All data served over our REST API uses HTTPS. Data is always encrypted in-transit and at rest. We follow SSL best practices, including HSTS and TLS cypher suite configuration. Belvo scores a A+ in the Qualys SSL test.

Highly-rigorous standards in product and corporate security

Some examples include:

Superior technology in data extraction at the cornerstone of our platform’s security

How does Belvo connect with data sources to retrieve data?

Belvo employs proprietary technology and takes a novel approach to data retrieval and normalization at scale. Our technology relies on accessing the underlying APIs used by mobile banking apps and online banking websites. This is in contrast with screen scraping, which is a less sophisticated approach relying on mimicking website navigation – which is slower, more fragile and prone to errors.

The benefits of our approach include:

Questions about security?

If you have any additional questions about security at Belvo, please contact