wealthAPI data security
Safety is our top priority. Data is the most precious currency of our time.
Protecting your customer data is our top priority. As a BaFin-regulated Account Information Service, we operate in accordance with German banking security and data protection standards as defined by the ZAG.
wealthAPI is ISO certified and BaFin licensed
IT security is an important part of our daily work, and ISO/IEC 27001 certification underscores our commitment to ensuring the highest standards of security and protection for our partners’ and users’ data.
ISO/IEC 27001 certification is the globally recognized standard for information security management systems (ISMS). It serves as objective proof that a company has implemented systematic processes to protect sensitive data from unauthorized access, loss, or manipulation. The certification confirms that we proactively identify and assess risks and minimize them through technical and organizational measures.
Learn more about our licensing and partners at our Trust Center.
Target Operating Model (TOM)
Our operating model is based on the “need-to-know” principle. In accordance with regulatory requirements, we have formalized the need-to-know principle as a set of organizational roles.
As our company develops, our role model also evolves. All roles are associated with data access policies that determine what each role can view and edit.
Our strategy
Technical measures
- Hosting in Frankfurt (Google Cloud)
- Focus on test-driven development to ensure high quality, even in dynamic environments
- Coaching and close cooperation with our customers and partners to achieve minimum safety standards
- Open APIs that have been in productive use for years
- Isolated infrastructure: All components (e.g., our database) run on their own network and are not visible from the outside. Backups are encrypted (data at rest encryption)
- Use of modern technology stack and Google Services (e.g., Google Intrusion Detection, Web Application Firewall)
- Separation of sensitive and less sensitive systems in the wealthAPI infrastructure
Organizational measures
- Application of strict access management; sensitive data is only accessible to a few employees
- Use of a strict role concept, reinforced by central authentication with Google Services
- Formation of specialized teams and ongoing training in topics such as GDPR
- Conducting peer reviews for all code changes as part of quality assurance to rule out individual misconduct
- Implementation of the regulation by BaFin, e.g., as part of an annual audit process in which IT processes are also audited in a risk report.
Our convictions
Safety starts withinthe organization
Even if a system has an excellent security architecture, it is ineffective if those who interact with it do not have the necessary qualifications
Organizational securitycharacterizes IT security.
As soon as employees change departments or take on a new role, their access rights must also change. We do not have any historical access rights, only role profiles.
Security must follow adesign principle
Consideration of the security aspect is of crucial importance in service design. This is due to the difficulty of changing existing systems retrospectively.
People make mistakes, an early-warning mechanism helps
People make mistakes. It is therefore necessary to design systems in such a way that faults are detected at an early stage and their impact on safety is minimized.
The most importantfacts & figures aboutwealthAPI.
Market experience since 2014
BaFin and FMA regulated
Licensed Account Information Service Provider (BaFin)
Authorized financial services provider in Austria (FMA)
3500+ bank connections
Direct API to comdirect, Trade Republic, Whitebox, Quirion, Scalable ...
Find out more?
Gain insights into our commitment to data security from our CTO Wolfram Stacklies’ latest article.