Security in the Age of the Data Economy – A Cornerstone of wealthAPI
In an era where data is the most valuable currency, it is our responsibility to ensure that every aspect of our work is designed to protect the integrity and confidentiality of that data. Technical measures such as hosting in a highly secure data center in Frankfurt, the use of open APIs that have been in productive use for years and the application of a modern technology stack are just a few examples of our strategy.
In summary, security at wealthAPI results from a combination of criteria!
- Quality standards in software development
- Secure infrastructure
- Organizational measures (need-to-know)
Quality standards in software development
In order to reconcile the highest code quality with agile release cycles, we fully rely on the test-driven development method – in other words, the application is fully and automatically tested for every single change. In this way, errors are intercepted, particularly during the induction of new employees. For the same reason, close coaching and continuous cooperation with customers and partners is important to us. This continuously ensures that our systems offer the highest quality and safety and that the handling of them also requires and achieves a minimum safety standard.
Secure infrastructure
We rely entirely on the Google Cloud for hosting. I consider the use of standard components audited and hardened by Google, such as Google Intrusion Detection and Web Application Firewall, to be much more secure than proprietary solutions. In addition, there is outstanding scalability, which is almost impossible to achieve with individual solutions.
We use an encapsulated infrastructure within the Google Cloud. All components run in their own “Virtual Private Network” (VPC) and are not visible from the outside. Our backups are encrypted (data at rest encryption) and particularly sensitive data such as bank login data is encrypted separately within this overall encryption. In addition, we separate sensitive and less sensitive systems within the wealthAPI infrastructure. The whole thing is rounded off by innovative AI services for intrusion detection.
Organizational measures (need-to-know)
Even the most secure technology won’t help if employees make mistakes or inadvertently disclose sensitive data. Organizational measures therefore play a decisive role in any security concept. Strict access management and role concepts derived from this, reinforced by central authentication with Google Services, ensure that only employees with a “need-to-know” have access to wealthAPI. In addition, specialized teams – at wealthAPI these are currently Brokerage APIs, Finance Managers and Frontend – ensure that sensitive data is only accessible to authorized employees.
The mandatory implementation of peer reviews (4 eyes principle) for all code changes is a further element of organizational quality assurance in order to rule out individual misconduct. In addition, we continuously invest in the further training of our employees to ensure that they are always up to date with the latest safety regulations. When dealing with data in Germany, this applies in particular to the provisions of the General Data Protection Regulation (GDPR). A special feature for us here is the GDPR regulation on commissioned data processing: We are authorized to issue instructions to our partners (e.g. finAPI, from whom we obtain PSD2 data) and our customers (e.g. Finanzfluss, who obtain banking and brokerage data from us to pass on to their customers) are authorized to issue instructions to us. This means that the customer can ask Finanzfluss to delete certain data, because Finanzfluss always retains control over its own customer data. In turn, we are then entitled or obliged to demand that our partners also delete the corresponding data commissioned by the customer.
Organization and regulatory framework
As a regulated payment institution, we are subject to supervision by the German Federal Financial Supervisory Authority (BaFin). The organizational obligations involved in obtaining the license were a major hurdle for us at the beginning. In retrospect, however, the measures enforced at the beginning were very useful in order to establish professional risk and safety management “from an early stage”. These measures now represent a very sensible and important component of our organizational and technical security architecture. An annual audit process is also mandatory for us, as part of which our IT processes are also audited in a risk report. This
is being documented in an organizational manual. There are also reporting obligations, e.g. with regard to the number of payment transaction accounts or data on payment transaction statistics. We must also comply with a reporting obligation with regard to the number of payment transaction accounts, data on payment transaction statistics (as we do not process payments, this is a negative report in our case) and ownership structure. BaFin also clearly specifies which bank data we are allowed to share with our customers. Demographic data and address data are excluded in all cases. Similarly, although MIFID data records run through our system, we neither store nor pass them on.
Conclusion
We are convinced that security is not just limited to technology, but must be anchored in the entire organization. Organizational security and IT security are inextricably linked, and every design principle must take the security aspect into account. We are aware that people make mistakes, so it is crucial that our systems are built in such a way that errors are detected early and their effects minimized. Test-driven development and peer reviews are ideal tools for this.
Looking to the future, we see the constant testing and further development of wealthAPI IT security as a standard discipline. Cooperation with partners in the area of IT security or obtaining ISO certification are also on our agenda, as is the introduction of a bug bounty program to proactively identify and eliminate the weak points in our systems. In a world where the security of our data is critical, as a fintech company we are at the forefront of ensuring that our customers and partners can enjoy the highest standards of confidentiality, integrity and availability.