Perfios Trust Center
This page outlines the security, privacy, and operational practices that guide our organization’s commitment to safeguarding client data and enabling robust financial technology services.
In today’s fintech landscape, information security is a critical component of operational excellence, not just a compliance checkbox. Drawing insights from Perfios’ experience in the Banking, Financial Services, and Insurance (BFSI) space, this package delves into:
- Our integrated security & privacy frameworks and processes
- Holistic risk management approaches
- Our alignment with evolving global standards and regulations
Our guiding philosophy is rooted in embedding “security-first” principles at every layer—leadership, operations, infrastructure, and the product itself.
Who is Perfios?
Perfios is a techfin market leader delivering advanced data aggregation, real-time analytics, and compliance-focused solutions to the BFSI and other sectors. Our platform seamlessly integrates with various data sources, enabling institutions to make informed decisions swiftly and securely.
We embed security in every aspect of our service, including:
- Rigorous Risk Assessments aligned with frameworks like ISO 27001, ISO 27017, ISO 27701, SOC 2 and CSA STAR Level 2.
- Integrated Security Practices: Comprehensive security controls are spread across governance, technology, and employee training.
- Continuous Innovation: Adoption of AI/ML to enhance threat detection and compliance checks.
The Perfios Service
Criticality of the Service
Within BFSI, the need for advanced protection has never been greater due to:
- Escalating Regulatory Demands (DPDPA, GDPR, CCPA, etc.).
- Rapid Increase in Cyber Threats, including Advanced Persistent Threats (APTs).
Perfios’ services are integral to daily financial operations—any disruption may impact a client’s compliance posture, customer experience, and revenue. Our solutions are designed to handle large-scale, sensitive workloads (e.g., analyzing credit data, processing digital loan applications), and we prioritize operational continuity and high availability to keep your core processes running smoothly.
Data Uploaded to Perfios’ Platform
Clients typically rely on Perfios for:
- Financial Data Aggregation: Bank statements, transaction logs, credit reports.
- Regulatory Document Processing: KYC documents, identity verification artifacts, compliance records.
- Unstructured Data: Supporting documents such as scanned PDFs or images requiring real-time analysis.
All data is treated as highly confidential. We utilize:
- Strong Encryption (AES-256 at rest, TLS in transit).
- Industry-leading Cloud Security Practices: Periodic security testing, continuous monitoring, and advanced intrusion detection.
Personal Information Processed by Perfios
Perfios operates under data minimization principles. We only process personal or financial information if it is required for our services. Common data attributes processed include:
- Identification Details: Names, addresses, phone numbers, emails (as needed for BFSI compliance checks).
- Financial & Transactional Data: Necessary for risk assessments, scoring, or analysis.
- Technical Metadata: IP addresses, timestamps, and event logs for audit and incident investigation.
We strongly discourage adding extraneous personal data. Additionally, we apply stringent controls to ensure this information is only used for intended, contractual purposes.
Note: The data attribute may vary from service to service, however the core security spirit will remain same.
Applicable Privacy and Regulatory Requirements
Privacy
Perfios recognizes that BFSI organizations operate under a stringent data protection laws worldwide. Our approach to privacy includes:
- Global Alignment: Adhering to the Data Protections Regulations of, but not limited to, India, Malaysia, Indonesia, Singapore, UAE and others.
- Privacy by Design: Systematically embedding privacy considerations into product development and data flows.
- Ongoing Audits: Independent security and privacy assessments to validate our compliance.
Data Processing Agreements
Perfios enters into DPAs (Data Processing Agreements) that clearly outline:
- Scope of Processing: Perfios acts as a processor on behalf of the client.
- Security Obligations: Encryption, access control, incident response, and logging.
- Breach Notification: Timely updates in the event of any unauthorized access or data compromise.
- Data Retention & Disposal: Specific guidelines on how long data is retained and how it is securely erased post-engagement.
Vendor Due Diligence
Perfios encourages customers to adopt a three lines of defense approach:
- Operational Management: Internally evaluate your exposure if Perfios experiences downtime or data incidents.
- Security, Risk & Compliance Teams: Review Perfios’ security documentation, attestations, and policies.
- Independent Audit & Assurance: Conduct external audits or request Perfios’ certification reports for ongoing validation.
Insurance
To mitigate potential liabilities and ensure financial resilience, Perfios maintains:
- Cybersecurity Insurance: Covering data breach response and related costs.
- Professional Liability Coverage: Addressing operational errors and omissions.
Trust Overview
Information Security
Perfios views security as an all-encompassing, organizational priority. Senior management sets a clear tone for stringent controls and continuous improvement, crucial in the BFSI environment where data handling is mission-critical.
Information Security Management
Perfios has implemented an Information Security Management System (ISMS) grounded in ISO 27001/27005 principles. Core tenets include:
- Risk Management: Regular risk assessments identify and mitigate vulnerabilities.
- Continuous Monitoring & Improvement: Tracking operational metrics, system logs, and threat intelligence to adapt defenses proactively.
Corporate and Operational Security
Production Infrastructure Access
- Least Privilege Principle: Access is strictly granted based on roles. All administrative access requires multi-factor authentication (MFA).
- Whitelist & Logging: Systems validate known IP addresses, while logging meticulously captures authentication and session details.
Production Application Access
- Segregation of Duties: Implementation, testing, and approval of production changes are performed by different teams.
- Restricted Access: Perfios employees cannot access client applications/data unless explicitly authorized for support or debugging.
Access Reviews
Perfios conducts frequent access reviews to verify that privileges remain current and valid, revoking any accounts tied to role changes or terminations.
Training and Awareness
General Awareness Training
All Perfios employees receive security and privacy education upon onboarding and at regular intervals thereafter. Key topics:
- Phishing Prevention: Tactics and real-world exercises (e.g., simulated phishing attempts).
- Endpoint Security: Workstation hardening using full-disk encryption, EDR and Perfios minimum security configuration.
Software Developer Application Security Training
Developers follow a structured program covering:
- Secure Coding to prevent injection attacks, session hijacking, or data leakage.
- Threat Modeling relevant to BFSI systems, such as advanced persistent threats (APTs) and compliance pitfalls.
Change Management Procedures
Perfios’ change management policies outline:
- Agile Development: Quick releases with security gates.
- Peer & Managerial Review: Code must pass peer inspection and acceptance testing.
- Segregation of Duties: The individual approving a change cannot be the one deploying it to production.
Perfios Employees
- Background Checks: Mandatory criminal, education, and reference verification before hiring.
- Confidentiality: All personnel sign non-disclosure agreements and abide by the Code of Conduct.
Security Incident Management
Monitoring
Perfios has a Security Operations Center (SOC) monitoring activity 24/7/365. We utilize:
- SIEM Tools (Security Information and Event Management) to detect anomalies.
- Threat Intel Feeds for up-to-date information on emerging cyber threats.
Corrective and Preventive Action
Our Incident Response Plan follows these steps:
- Identify & Contain: Immediate isolation of affected systems or networks.
- Eradicate & Recover: Remove malicious components and restore from clean backups.
- Root Cause Analysis: Perform a post-incident review to prevent recurrence.
- Notification: Timely communication with relevant stakeholders, including clients and regulators, if required.
Product Security
Infrastructure
- Hosted on Leading Cloud Providers: Perfios deploys its infrastructure on major cloud platforms (e.g., AWS, Azure, GCP), all of which meet or exceed globally recognized standards (e.g., Tier III-equivalent data centers, ISO 27001, SOC 2). These providers implement robust physical and environmental security measures to protect underlying hardware and network resources. Additionally, we have implemented additional security layers like WAF and DDOS Protection to enhance the protection.
- Hosted in Secure Data Centers: Perfios infrastructure resides in Tier III (or above) facilities, compliant with ISO certifications for physical security.
- Network Segmentation: Production, development, and testing environments are logically separated. This reduces the risk of lateral movement by isolating critical services and data from non-production activities.
Software Development Lifecycle
Our SDLC includes:
- Continuous Integration/Continuous Deployment (CI/CD): Automated build checks and static analysis.
- Vulnerability Scans: Dynamic testing before and after code merges.
Encryption
- In Transit: TLS 1.2+ is enforced to protect data.
- At Rest: AES-256 encryption on production datastores and backups.
Key Management
Perfios uses secure vault solutions to manage encryption keys, employing robust key rotation policies. Keys are only accessible to authorized staff with a legitimate business need.
Multi-tenancy
Client data is logically segregated. Multi-tenancy features ensure no cross-tenant access—a crucial element in preventing data overlap or leaks.
Authentication
- Single Sign-On (SSO): Supports industry-standard protocols (SAML 2.0).
- Granular Role-Based Access Controls (RBAC): Restrict user capabilities, ensuring each role has only the privileges required.
Admin-Enabled Access Controls
Platform admins can define custom security policies at a per-group or per-user level, controlling capabilities such as content creation, modification, export, and more.
Product Security Testing
- Internal: Continuous SAST/DAST scans, table top exercises and cyber drills.
- External: Annual independent penetration tests, red teaming exercises and assessments through the CERT-IN & CREST empaneled vendors
- Remediation: Security vulnerabilities are triaged and resolved based on severity, with timely communication to stakeholders when relevant.
Privacy
Perfios’ privacy framework integrates tightly with our security controls to ensure comprehensive protection of personal data. We comply with worldwide data protection regulations, guided by the following principles and certifications:
- Data Subject Rights: We maintain formal processes for data access, correction, and deletion requests, as required by applicable laws.
- Privacy Notices & Policies: We publish transparent policies detailing how personal information is collected, used, retained, and shared.
- ISO 27701: As an extension to ISO 27001, this certification demonstrates our structured approach to establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).
Compliance
Perfios engages in continuous audits and holds multiple, globally recognized certifications to provide robust assurances about our security and privacy posture:
- ISO 27001: Core Information Security Management System standard.
- ISO 27701: Focused on privacy information management, ensuring alignment with international privacy best practices.
- ISO 27017: Cloud-specific security and privacy standards, crucial for safeguarding hosted solutions.
- CSA STAR: Validating our cloud security controls against the Cloud Security Alliance’s benchmarks.
- SOC 2: Independent attestation of our security, availability, confidentiality, processing integrity, and privacy controls.
By aligning to multiple frameworks, Perfios demonstrates a steadfast commitment to maintaining the highest levels of security, privacy, and compliance for our clients.
Reliability
Multiple Data Centers
Perfios deploys its services across globally distributed cloud data centers (e.g., AWS, Azure, GCP), ensuring high availability and fault tolerance. Our approach includes:
- Redundant Power and Networking: Cloud providers utilize multiple power sources, backup generators, and diverse network paths to ensure minimal disruptions.
- 24/7 Physical Security: Controlled facilities with biometric access controls, real-time surveillance, and dedicated security personnel.
- International Certifications: Leading cloud platforms hold ISO (27001, 27701) and SOC 2 certifications, aligning with Perfios’ own security and privacy commitments.
- Data Localization: In accordance with various regulatory and industry mandates, Perfios can store and process data in specific geographic regions (e.g., within India, the EU, or other locations) to meet local data residency and sovereignty requirements.
By spanning multiple regions and availability zones within these cloud environments, Perfios significantly reduces the risk of single points of failure and delivers a robust, compliant infrastructure that supports business continuity.
Backups
Daily, encrypted backups are automatically generated and stored off-site. Backup processes are tested regularly to confirm data integrity and recoverability.
Data Retention
Perfios typically retains backups for a rolling 30-day period, or as contractually agreed. Post retention, data is securely purged from our systems.
Business Continuity and Disaster Recovery
Perfios maintains an extensive Business Continuity and Disaster Recovery (BC/DR) Plan:
- Preventative Measures: Redundant infrastructure and cloud instances minimize the impact of disasters.
- Disaster Response: Notification procedures ensure swift stakeholder communication.
- Testing and Remediation: BC/DR exercises are performed at least once per year; any identified gaps are addressed immediately.
Key highlights of our BC/DR strategy:
- RTO (Recovery Time Objective): We aim for minimal service disruption.
- RPO (Recovery Point Objective): Ensuring minimal data loss by leveraging real-time or near real-time replications.
- Transparent Communication: Quick updates to clients on status and expected restoration timelines.
