Security and Privacy
Built for Banking. Secured for Trust.
As a cloud-native core banking platform, we understand that security isn’t just a feature – it’s the foundation of everything we do. Our customers trust us with their most critical financial infrastructure, and we take that responsibility seriously.
Our security programme is designed not only to meet but exceed industry standards, with controls implemented at every layer of our infrastructure, applications, and operations.
Certifications & Compliance
ISO 27001 Certified
SaaScada is ISO 27001 certified, the international standard for information security management systems (ISMS). This certification validates that we have implemented a comprehensive framework of policies, procedures, and controls to systematically manage information security risks.
Our ISO 27001 certification covers our entire core banking platform, infrastructure, and operational processes—providing independent assurance that your data is protected by industry-recognised best practices.
Powered by Vanta
We partner with Vanta as our ISMS platform provider, enabling continuous compliance monitoring and automated evidence collection. This partnership ensures our security controls are not just implemented but consistently maintained and verified, giving you real-time confidence in our security posture.
Infrastructure: Your Data, Your Environment
Built on AWS
SaaScada is hosted on Amazon Web Services (AWS), leveraging enterprise-grade cloud infrastructure trusted by financial institutions worldwide.
Why AWS matters for banking:
- Regulatory alignment: AWS maintains certifications including ISO 27001, SOC 1/2/3, PCI DSS Level 1, and financial services-specific compliance programmes
- Physical security: Data centres feature biometric access, 24/7 monitoring, and multi-layer physical controls
- Global availability: Redundant infrastructure across multiple availability zones
- Encryption by default: Built-in encryption for data at rest and in transit
Dedicated Client Environments
Unlike shared multi-tenant architectures, we create dedicated AWS sub-accounts for each client environment—separate sub-accounts for both test and production. This provides complete isolation at the infrastructure level.
This means:
| Benefit | What it means for you |
| Complete isolation | Your data never shares infrastructure with other clients |
| Independent scaling | Resources scale based on your needs alone |
| Simplified compliance | Clear boundaries for regulatory audits and reporting |
| Custom configuration | Security controls can be tailored to your requirements |
| Data residency control | Choose your AWS region to meet local data sovereignty rules |
| Escrow-friendly | Completely isolated environments make escrow agreements simpler and more cost-effective |
This architecture provides the security benefits of a private cloud with the operational advantages of managed SaaS.
Environment Segregation
Within your dedicated accounts, we maintain strict separation between:
- Production environments — Live, client-facing systems
- Simulation/staging environments — Client-accessible testing
- Development/test environments — Internal use only
No data flows between environments without explicit authorisation, and production data is never used in non-production systems without your consent.
Endpoint & Network Security
Device Management
All SaaScada devices are centrally managed through our Mobile Device Management (MDM) platform. This ensures consistent security controls across our entire fleet:
- Enforced encryption: Full-disk encryption is mandatory on all devices—no exceptions
- Automated patching: Security updates are deployed promptly across all managed devices
- Configuration compliance: Security policies are continuously enforced and monitored
- Remote management: Capability to locate, lock, or wipe devices if lost or stolen
- Asset visibility: Complete inventory and status of all company devices
Network Protection
We implement a Zero Trust security model to secure our network perimeter and protect employee access:
- Secure Web Gateway: All web traffic is filtered to block malicious sites, phishing attempts, and inappropriate content
- Zero Trust Network Access: Employees connect through encrypted tunnels—no legacy VPN vulnerabilities
- Endpoint protection: Device posture checks ensure only compliant devices can access company resources
- DNS filtering: Malicious domains are blocked at the DNS layer before connections are established
- DDoS mitigation: Global edge network provides protection against volumetric attacks
This combination of device management and network security ensures that every access point to SaaScada systems is protected and monitored.
Secure Swiss Finance Network (SSFN)
SaaScada is a member of the Secure Swiss Finance Network (SSFN)—the next-generation communication infrastructure established by the Swiss National Bank and SIX. We have invested in the security and infrastructure required to operate as part of this network.
Built on SCION technology developed at ETH Zurich, SSFN provides:
- Cyber resilience: Protection against DDoS attacks and BGP hijacking at the network level
- Path control: Complete visibility and control over data routing
- High availability: Multi-provider architecture with automatic failover
- Trusted network: Certificate-based access restricted to verified financial institutions
Our SSFN membership demonstrates our commitment to operating within Switzerland’s most secure financial infrastructure, and allows us to connect to other SSFN members over the network, such as service bureaus and payment gateways.
Data Protection
Encryption Standards
All data is protected using industry-standard cryptographic controls aligned with NIST recommendations:
| Data State | Method | Standard |
| Data at rest | AES-256 | Symmetric encryption |
| Data in transit | TLS 1.2+ | RSA-2048 certificates |
| Endpoint storage | AES-256 | Full disk encryption |
Encryption keys are managed through AWS Key Management Service.
Data Classification
We operate a tiered classification system to ensure data receives appropriate protection:
- Confidential: Customer data, PII, financial records, authentication credentials, source code
- Restricted: Internal policies, contracts, system documentation
- Public: Marketing materials, release notes, published documentation
Each classification level has defined handling, storage, transmission, and disposal requirements.
Data Retention & Disposal
We retain data only as long as necessary for business purposes or regulatory requirements. Following contract termination:
- Customer data is retained for 90 days, then securely deleted
- Verified data subject requests are honoured in accordance with applicable privacy regulations
- All disposal follows documented procedures including cryptographic erasure
Confidentiality Controls
Customer data is never used in non-production environments without explicit permission from the data owner. We maintain strict controls on any data transfer to external parties, requiring legal agreements and management approval.
Access Control
Principle of Least Privilege
Access is granted strictly on a need-to-know basis. We implement Role-Based Access Control (RBAC) aligned to job functions, ensuring users have only the permissions necessary for their specific responsibilities.
Multi-Factor Authentication
MFA is mandatory for all privileged access to production infrastructure and administrative systems. We enforce strong authentication across all critical systems.
Access Reviews
We conduct regular access reviews to verify permissions remain appropriate. Access rights are also reviewed upon any role change—promotion, transfer, or change in responsibilities.
Rapid Deprovisioning
Access is promptly removed upon termination of employment. User IDs are never reused, and all sessions are immediately invalidated.
Secure Development
Security & Privacy by Design
Our engineering practices embed security throughout the development lifecycle. We follow both secure-by-design and privacy-by-design principles:
Secure-by-design: Minimise attack surface • Establish secure defaults • Defence in depth • Fail securely • Separation of duties
Privacy-by-design: Proactive protection • Privacy as default • Full lifecycle security • Transparency • User-centric controls
Code Review & Quality
All code undergoes mandatory peer review before release. Reviewers are trained in secure coding techniques and verify:
- Functionality against requirements
- Regression and dependency impacts
- Security principles and OWASP compliance
- Adherence to coding standards
No single individual can develop, test, and deploy changes without oversight.
Continuous Integration & Security Testing
Our CI/CD pipeline includes automated security controls:
- Static code analysis
- Dependency vulnerability scanning
- Endpoint API security testing
- Automated test suites
No code reaches production without documented test results and evidence of security remediation.
Penetration Testing
We conduct regular penetration testing using CREST-certified, fully independent third-party testers. This provides objective assurance that our platform can withstand real-world attack scenarios and validates the effectiveness of our security controls.
Developer Training
All developers receive annual secure development training covering OWASP Top 10 vulnerabilities, including injection attacks, XSS, CSRF, broken authentication, and secure session management.
Incident Response
Reporting Security Concerns
All personnel are required to report known or suspected security events, including policy violations and observed weaknesses. We have documented procedures for reporting and escalating security concerns.
Our Response
We maintain a documented Incident Response Plan with defined procedures for detection, containment, investigation, and remediation. Our team is prepared to respond promptly and transparently to any security events affecting your data.
Privacy
Our Commitment
We are committed to data privacy and compliance with relevant legislation. SaaScada acts as a data processor for customer data—our customers remain the data controllers for personal data uploaded to our platform in connection with our services.
We collect, use, and retain personally identifiable information only for legitimate business purposes. Our data handling practices comply with the UK General Data Protection Regulation (UK GDPR) and applicable data protection laws.
Your Rights
Under UK GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Withdraw consent to processing
- Data portability
If you have concerns about our use of your personal information, you can also complain to the Information Commissioner’s Office (ICO).
Full Privacy Policy
For complete details on how we gather and process personal information, please read our Privacy Policy.
Security Documentation
Penetration test reports, audit certifications, and security documentation are available on request. Please contact us to discuss your security requirements.