Security & Compliance

Trust and Data protection

We understand how important data protection is and take the trust that our customers put in us very seriously.

Our customers are amongst the highly regulated financial institutions, including tier-1 banks, and they trust us with their onboarding and ongoing transaction monitoring processes. Protection and privacy of our customers' information is front of mind and embedded in everything we do at FrankieOne.

With strong leadership commitment and support, we have built trust and data protection system consisting of:

• Independent external audit & compliance; (refer to Independent Verification section for more information)
• Information security & cyber resilience; (refer to Security and Product sections for more information)
• Privacy by design; (refer to Privacy and Product sections for more information)
• Reliability by design; (refer to Reliability section for more information)

Independent Verification

We demonstrate our commitment to protecting our customers' data with independent certification and attestation to the highest standards.

As a global fintech leader, we take your security seriously. Our commitment to safeguarding your financial well-being is unwavering. We undergo regular, rigorous audits by independent, accredited experts. We proudly hold the ISO 27001:2022 security certification, demonstrating our dedication to the latest security practices.

What's more, we hold a SOC 2 Type 2 compliance attestation, showcasing our adherence to the strictest security standards. To ensure our platform meets this high bar, we subject it to regular external security penetration tests.

Our security practices and controls are under constant scrutiny, surpassing the stringent requirements of our predominantly regulated financial clientele.

Security

We implement top-tier industry security practices and risk management throughout all aspects of our operation, including people, processes, technology, and third-party engagements.

Organisational Security

We have robust leadership commitment and unwavering support for FrankieOne's Information Security Management System. FrankieOne boasts comprehensive risk management policies and programs, along with a suite of information security policies that align seamlessly with ISO 27001 and SOC 2 standards.

At FrankieOne, we prioritise security and resilience in our operations. We have established robust Business Continuity and IT Disaster Recovery Plans, subject to regular testing to ensure their effectiveness. To fortify our defences, we've integrated a continuous and automated security controls monitoring platform, Drata. Drata empowers us with policy enforcement, risk management, and compliance assurance.

Our commitment to security extends to our people and contractors, who receive regular security training. In particular, our engineers undergo comprehensive training in secure code development, covering application and system security risks and mitigation, as an integral component of our security awareness program. As part of our thorough onboarding process, all new team members are required to undergo comprehensive background checks, including police checks and AML screening.

Additionally, we have a stringent off-boarding process in place to ensure swift access revocation and remind departing team members of their ongoing confidentiality obligations.

Our dedication to security extends to our network of third-party suppliers. We rigorously evaluate and perform security due diligence on them in alignment with Frankie's Third-party Risk Management Process.

Application & Operations Security

FrankieOne has joined forces with a premier cloud provider known for its unwavering reliability and compliance with the highest industry standards. Here's an overview of the robust security, privacy, and compliance program provided by AWS Compliance Programs - Amazon Web Services (AWS)

Customers' data is protected with bank grade encryption in transit using TLS 1.2 and above. We also encrypt data in-application using unique customer keys, and also again at rest using AES-256-GCM and SHA-512 for hashing.

Access management policies and processes are in place following the principles of least privilege and ensuring only authorised user have access to systems and data. Multi-factor authentication is enforced for all systems and services.

Security is embedded in all phases of our CI/CD (Continuous Integration and Continuous Delivery) pipeline and SDLC (Software Development Lifecycle) and includes security assessments and threat modelling, security vulnerability scans, code peer reviews, security pen test, logging and monitoring, WAF, access controls and patching and vulnerability management to name a few.

FrankieOne has Security Incident Response and Data Breach Response Plans that are tested on a regular basis, with lessons learnt feeding back into our continuous improvement approach.

Responsible Disclosure Program

To report a security vulnerability, please refer to our Responsible Disclosure Program or use our PGP if you need to send us an encrypted message by following this link.

Privacy

We build our platform with privacy by design

Privacy is at the core of our platform's design philosophy. FrankieOne adheres to the stringent provisions of the Australian and New Zealand Privacy Acts, as well as GDPR, encompassing the requisite notifiable data breach obligations.

Find out more in our Privacy Policy FrankieOne Privacy Policy

Reliability

We built our platform with reliability in mind to scale with our customers needs and be available when customers need it

Cloud Native - Scaling, Resiliency, Redundancy

The FrankieOne platform is designed specifically to operate in a cloud environment. This means that every component in the system is designed to gracefully handle failure modes and be ephemeral in nature. Cloud native applications and services are designed so that the failure of one part should not impact on another, keeping data safe and always erring on the side of caution.

Being cloud native also means being designed to leverage the major benefits of cloud systems, namely those of redundancy and scalability. To that end, every single service and data source that makes up the Frankie platform is duplicated across multiple datacentres in an all-active configuration, so that even the complete failure of an entire datacentre’s infrastructure will not impact on service availability. That duplication also means that the platform can scale to meet demand as needed.

Backups

The Frankie platform maintains all-active sites in order to maintain the highest levels of service availability. But backups are crucial for a number of reasons, especially should the need arise to move services to an alternative provider or if we wish to recreate a copy of the production service.

All databases and data stores however, are backed up on a regular basis.

Failover

As mentioned, the Frankie platform runs on multiple sites in an all-active configuration. Traffic is load-balanced across all sites to both spread the load as well as maintain availability. Internally, all systems at all layers are also load-balanced, so that multiple instances of services are always available

Availability

Our Service Commitments is 99.95% Uptime. Visit FrankieOne's Status page https://status.frankieone.com/ for our service status and for what’s new and coming soon.

Product Security & Privacy

Our product, service and platform have built-in security and privacy features.

• Portal Access management

Our Portal is built with role based access control capability allowing customers to manage access to data via fine-grained permissions.

To learn more refer to our Developer Hub documentation https://apidocs.frankiefinancial.com/docs/portal-permissions

• Portal Multi-Factor Authentication (MFA) and SSO

MFA is an essential and very effective security measure is said to block 99.9% of account attacks and this is available to our Portal customers to provide high standard account protection. SSO and MFA are available to all customers, regardless of their plan. We feel that security should be for everyone, not just for “Enterprise” customers.

To learn more refer to our Developer Hub https://apidocs.frankiefinancial.com/docs/multi-factor-authentication#enabling-multi-factor-authentication-in-the-portal and https://apidocs.frankiefinancial.com/docs/configuring-sso-with-the-frankieone-portal

• API Authentication

FrankieOne API provides a secure authentication mechanism.

To learn more refer to our Developer Hub https://apidocs.frankiefinancial.com/reference/authentication

• Data Encryption

Customers' data is protected with bank grade encryption in transit using TLS 1.2 and above. We also encrypt data in-application using unique customer keys, and also again at rest using AES-256-GCM and SHA-512 for hashing.

To learn more refer to the section lower in this page.

• GDPR

Privacy by design ensures that our customers achieve immediate compliance, retaining complete control over their data right from the outset.

To learn more refer to FrankieOne Privacy Policy

Please refer to the Application & Operations Security and Privacy sections above to learn more.

How we keep our customer's data secure

Our Guiding Principles

The safety and security of our customer’s data is fundamental to the DNA of FrankieOne. We believe and operate under the framework that your data is yours, and yours alone. We make sure:

1. Our service is designed to ensure that you control access to your data. 
2. All data is securely stored using AES 256 encryption. This encryption is one of the strongest and most robust encryption standards that is commercially available today and trusted by banks and other financial institutions globally.

How we keep your data secure

When storing sensitive data on your behalf, we need to ensure that it is safe, and retrievable when you need it. To do this, we store your data in two separate but equally secure ways.

Storage

Every customer has a set of keys that we use to encrypt your data. Every record gets its own unique key so as to ensure that even if one record is cracked, the others remain safe. We use bank-grade AES256-GCM encryption to secure your data before it goes into our document vault.

The document vault is also encrypted at the storage layer (encryption at rest), again using AES256-GCM with a different set of keys, making doubly sure your data is safe and only visible to you.

Retrieval

To find your data again, we need to create a secure, yet searchable index that does not expose your data. To do that we take a hash of your data (we use a salted SHA512 hash, generally considered beyond bank-grade). This hash is a one-way scrambling process that cannot be reversed. The hash is then saved with an encrypted mapping to your stored data - again using your unique keys to secure this map.

When you wish to search your data, we take your search criteria, recreate your secure hashes, and look those up in the index database. From there we can retrieve your data, returning the decrypted information you entrusted us with.

Safety in transmission too

We obviously need to transfer your data to and from your own service, as well as within our own network in order to both store and verify it. Even when data is in transit, it is securely encrypted using TLS v1.2 (or greater). At no time does your data end up in the clear.

Don’t just take our word for it

FrankieOne has been ISO27001 certified since November 2019, soon after we first went live. This means our process, people and practices have all been reviewed, tested and independently audited by GCC (Global Compliance Certification), a global and accredited certification organisation.

In September this year, FrankieOne also received a clean SOC 2 Type I attestation report, as audited by SSF (Sensiba San Filippo), a certified public accountants and business advisors, with our Type II report expected in January 2023. The report provides proof (in addition to our ISO27001 certification) of our commitment to implement, audit and measure our security and privacy framework to ensure we operate to the highest standards for security, confidentiality and availability. 

On top of our own internal continuous monitoring and testing, we also undergo regular independent pen-tests by CREST certified independent testers from Cyber-Risk. Their job is to try and break in and/or exploit our service before the bad actors do. If they ever find an issue, we ensure that addressing it becomes our number one priority, with a fix being put in place ASAP.

It’s your data

Because your data is encrypted using keys unique to you, it means that we:

• Cannot see or modify your data
• Cannot mix up your data with any other customer’s data
• Cannot sell your data to third parties

Your data is yours, and yours alone. This is our promise to you. 

Our security framework is the backbone of FrankieOne. Want to know more, email us at security@frankieone.com.

Additional information

• Privacy Policy →
• Responsible Disclosure Program PGP →
• How to protect yourself from scams →