Security policy


TrueLayer leads the way in Enterprise security.

We adhere to and comply with privacy, security and regulatory requirements, and are registered with the ICO, the FCA and are certified as ISO27001 compliant.

Data Encryption

Our database servers encrypt Account Information using the standard AES 256bit encryption. We generate a multi-part encryption key, one for you, one for us, and one that we store on your behalf in a separate network.

The encrypted information needs all of the three keys simultaneously in order to be decrypted. The encryption keys are rotated and our segments of the key are managed in a network separated from the database and application servers. All the application secrets and keys are stored in a fault-tolerant key management cluster with limited access. The master key is kept in an air-gapped, secure vault to ensure a maximum level of security.

Transmission Security

All data served over our REST API uses HTTPS. We regularly audit our security setup to ensure that the certificates we serve are up to date. We force HTTPS for all connections to our API server to ensure that the information is always encrypted during the transport from our server to the Provider's App. We encourage Providers to use the same methods to ensure that the information is encrypted all the way to you as the End-User.


We log all API calls and track the interactions with TrueLayer API for later review.

Questions about security

If you have any questions about the security we use at TrueLayer, please contact us by email at [email protected].

Vulnerability Disclosure Programme

If you are a security researcher and would like to responsibly disclose security issues to us please read our vulnerability disclosure programme for more information.