Security policy

Security Policy 

TrueLayer has established and is committed to maintain, review and continually improve our information security practices.

We have a body of policies that provide principles and guidance for defining and regulating the management of information systems and information assets, ensuring we have relevant and accurate information available for staff members and customers.

Our policies are reviewed to remain compliant with relevant legal, statutory, regulatory and contractual obligations

Data Encryption

Confidential data is encrypted at the application level before being transmitted. 

We review our cryptographic keys/certificates on an annual basis.  We understand that high risk information such as secrets and keys must use either a FIPS 140-2 Level 2 compliant hardware security module or application level encryption; which will require the client to use a dedicated encryption key to access. Access to encryption keys is strictly controlled and maintained through a full audit trail.


Transmission Security

All data is encrypted at rest and in transit using protocols such as TLS1.2.

All data served over our REST API uses HTTPS. We regularly audit our security setup to ensure that the certificates we serve are up to date. 

We require HTTPS for all connections to our API server to ensure that the information is always encrypted during the transport from our server to the Provider's App. We encourage Providers to use the same methods to ensure that the information is encrypted all the way to you as the End-User.

Logging

We log all API calls and track the interactions with TrueLayer API for later review.

Vulnerability Scanning and Penetration Testing

Vulnerability Scanning is performed regularly and each vulnerability is assigned a risk ranking such as High, Medium and Low based on industry best practices (such as the CVSSv3 score).

Network and public facing application penetration tests are conducted by an independent third party on an annual basis. We also perform penetration tests for any significant updates to existing products or before the release of a new product. 

All requests regarding Penetration testing should be sent to [email protected]

If you are a security researcher and would like to responsibly disclose security issues to us please read our vulnerability disclosure programme for more information

Questions about security

If you have any questions about the security we use at TrueLayer, please contact us by email at [email protected].