Back to blog
Share

November 13, 2023

Protect your financial data & stay compliant with Abound

When you work with financial data, everyone expects you to take real, legitimate care to keep it safe.  Unfortunately, the fintech industry often lags behind the broader tech sphere when it comes to transparency, replacing old technologies, and embracing innovations that make it easier to secure systems.  Disturbingly, we’ve seen a number of newer fintech companies flout security and regulatory commitments and generally fail to treat sensitive data with the care & respect it deserves. 

When you work with us, we follow a number of core principles that help keep your data safe & your end users happy:

Keep humans out of the loop

When you use our systems to process data, we make sure as much as possible is fully automated and driven by your staff.  There’s no emailing CSVs around, uploading data to an outdated FTP server, or sending large packages of sensitive info to a CSM.  This helps limit the risk of human error, carelessness, or misjudgment.

We accept data in two ways: over our API via encrypted connections, or through a CSV upload process right inside your account.  If you do choose to upload CSVs, we put you in the driver’s seat by giving you direct access to the tools to correct faulty data, match data to our internal classifications, and monitor the status & success rates of any actions triggered by the import.  While we’re always ready to help out over at our support channels, we’ve set up our systems to make sure we don’t have to work directly with your data to make the system work.  

Transparent & direct security commitments

We’re upfront and honest about what we offer.  We’ve given you detailed information about our security commitments over at our security hub, including whitepapers, summaries of our core practices, and a real-time view into 50+ controls from our compliance monitoring system.  If you prefer more formality, our System Description in our SOC 2 report includes 15 pages (vetted annually by auditors) describing security commitments that we continuously uphold, and we make additional security commitments to our customers processing European resident data in a dedicated Data Protection Agreement (DPA) that makes sure we follow critical GDPR requirements.

We don’t think you should trust companies who are cagey or unclear about their security capabilities, who don’t prioritize handling your questions, or who haven’t taken the time to demonstrate what they can deliver before learning what you care about - security is a business of verification & assurance, not just trust!

Work collaboratively with customers

We’ve done the prep work to make sure we can get through your internal approval processes without extra fuss.  To help make things easy for everyone, we have:

  • Several years of clean SOC 2 audits that describe our security capabilities & make sure we’re meeting them continuously throughout the year ✅
  • Data protection agreements (DPAs), so you have formal guarantees on how we handle sensitive data & to make sure we can help those outside the US with American tax reporting obligations 🇬🇧
  • Security experts (not procurement!) are available to answer your questions & make sure you’re not stuck sending emails back and forth or waiting endlessly for responses 🤓📋
  • Strong default commitments for security, SLAs, and turnaround times on support issues–no negotiation required 😌 

Secure development

When we release changes to our system, we take extra care to make sure our development practices are rock solid, that we minimize foreseeable problems, and that we’re just as careful in securing our codebase as we are with our servers & laptops.  Every time we make a change to the production system, we do each of the following:

  • The change is reviewed for possible security risks using an automated external scanner (static code analysis)
  • Another developer looks at the code to make sure it’s correct and appropriate (peer review)
  • The code runs through our automated test suite, including in-house written tests, to catch bugs before they go live
  • Any code from external sources (like libraries and dependencies) is checked to make sure it doesn’t include known vulnerabilities
  • Two developers sign off before a change is moved to production
  • We have formal policies around how developers use machine learning or AI tools in the development process that help ensure AI assists don’t turn into AI mishaps

Don’t compromise on partners that follow checklists designed to secure corporate infrastructure, but fail to secure the actual product they’re releasing.  With the advent of developer-focused AI tools, it’s especially important for companies to have extra checks and balances over their codebase and make sure that any outsourced development is well-supervised.

Modern, integrated and thorough security systems

We’re a tech company with a tightly knit feedback loop between our security team, our engineering staff, and our customer-facing contact points.  We follow best practices on authentication and encryption, rely on trustworthy partners like AWS, and take advantage of the strong security features offered by modern technology.  We look for and patch security holes in our system, and use several layers of third party tools and outside partners to make sure we’re not fooling ourselves about the state of our platform.  If we hear from our partners that we’re not addressing a risk or concern, or that our customer agreements cause headaches for their compliance team, we’re quick to review & act on it.  While we’re not infallible, we take the essentials seriously and have a track record of executing well against them.

Wrap up

We hope this helps you get to know our security priorities & learn a bit more about our team.  If you want to dig in deeper, head on over to our security hub, take a look at the trust report from our compliance monitoring system, or check out more info on how we handle personal information, including for those in California.  If you want to see the system in action, go ahead and book a demo right from our homepage

When you partner with Abound, you’re buying our services, but you’re getting our security assurances for free:

  • Send data over secure, modern, and well documented API interfaces
  • Run CSV imports yourself, right inside your account
  • Automated processing that doesn’t involve our staff
  • Clear & comprehensive security commitments
  • Multiple layers of security checks during development
  • Experienced & responsive security team
  • European data processing
  • Minor data processing (13 and over)
  • Humans that care & are empowered to act

If you need to get in touch with our security staff, you can always contact us at security@withabound.com, or reach out to any sales, support, or account representatives with your questions - we’ll make sure they end up in the right place. 

Authors

Tyler Vane
Systems Security Manager

Ready to build the future independent workers want to work in?

Get started
Book a demo