Security & Compliance

Certifications & Standards

ISO 27001:2013

Privé Technologies is ISO 27001 certified for Information Security Management.

What This Means:

• Systematic approach to managing sensitive information
• Regular security audits and penetration testing
• Documented security policies and procedures
• Continuous improvement of security controls

Certificate Details: View Certificate →

Compliance Framework

Privé supports compliance with:

• MiFID II (Markets in Financial Instruments Directive)
• GDPR (General Data Protection Regulation)
• SOC 2 Type II (in progress)
• PCI DSS (for payment processing integrations)

Data Protection

Encryption

Data in Transit:

• All API traffic uses TLS 1.2+ encryption
• Perfect Forward Secrecy (PFS) enabled
• Strong cipher suites only (AES-256-GCM)

Data at Rest:

• Database encryption using AES-256
• Encrypted backups stored in geographically distributed locations
• Automatic key rotation every 90 days

Tokenization:
Sensitive fields (SSN, tax IDs, account numbers) are tokenized:

{
  "clientName": "John Doe",
  "taxId": "tok_1a2b3c4d5e6f",  // Tokenized
  "accountNumber": "tok_9z8y7x6w5v4u"  // Tokenized
}

Access Controls

Authentication:

• JWT tokens with short expiration (4-8 hours)
• No refresh tokens (prevents token theft escalation)
• Password complexity requirements enforced

Authorization:

• Role-Based Access Control (RBAC)
• tenant isolation (multi-tenancy)
• Resource-level permissions

Audit Trails:
Every API call is logged with:

• Timestamp
• User/company identity
• Endpoint accessed
• Request parameters (excluding sensitive data)
• Response status
• Request ID for tracing

API Security Best Practices

1. Protect Your Credentials

❌ Never Do This:

# Hardcoded credentials
username = "[email protected]"
password = "MyPassword123"

✅ Use Environment Variables:

import os

username = os.environ['PRIVE_USERNAME']
password = os.environ['PRIVE_PASSWORD']

✅ Use Secret Management:

from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
client = SecretClient(vault_url="https://myvault.vault.azure.net/", credential=credential)

username = client.get_secret("prive-username").value
password = client.get_secret("prive-password").value

2. Rotate Credentials Regularly

• Change passwords every 90 days
• Immediately rotate if credential compromise suspected
• Use different credentials for UAT and Production

3. Secure Token Storage

❌ Don't Store in:

• Local storage (web browsers)
• Cookies without HttpOnly and Secure flags
• Version control
• Application logs

✅ Store In:

• Encrypted session storage
• Secure backend storage
• Memory only (for short-lived processes)

4. Validate All Inputs

Even though Privé validates on the server, validate on your end too:

import re

def validate_prive_key(key):
    # priveKeys follow pattern: PRVXXX-XXXXXX
    pattern = r'^PRV[A-Z]{3}-[A-Z0-9]{6}$'
    if not re.match(pattern, key):
        raise ValueError(f"Invalid priveKey format: {key}")
    return key

def validate_date(date_string):
    # Ensure YYYY-MM-DD format
    try:
        datetime.strptime(date_string, '%Y-%m-%d')
        return date_string
    except ValueError:
        raise ValueError(f"Invalid date format: {date_string}")

5. Implement Request Signing (Advanced)

For high-security scenarios, sign requests with HMAC:

import hmac
import hashlib
import time

def sign_request(method, path, body, secret_key):
    timestamp = str(int(time.time()))
    
    message = f"{method}\n{path}\n{timestamp}\n{body}"
    signature = hmac.new(
        secret_key.encode(),
        message.encode(),
        hashlib.sha256
    ).hexdigest()
    
    return {
        'X-Request-Timestamp': timestamp,
        'X-Request-Signature': signature
    }

headers = sign_request('POST', '/users/3/tenant123', json.dumps(payload), api_secret)

Data Residency & Privacy

Geographic Data Storage

Privé supports region-specific deployments to comply with data residency requirements:

Specifying Region:
Your tenant is provisioned in a specific region. Confirm with your Privé representative.

GDPR Compliance

Data Subject Rights:

• Right to Access: Retrieve client data via APIs
• Right to Rectification: Update client data via PUT endpoints
• Right to Erasure: Delete client data via DELETE endpoints
• Right to Portability: Export data in JSON format

Example: Export Client Data (GDPR Request)

def export_client_data(prive_key):
    client = get_client(prive_key)
    accounts = get_accounts(prive_key)
    transactions = get_transactions(prive_key)
    documents = get_documents(prive_key)
    
    export = {
        'client': client,
        'accounts': accounts,
        'transactions': transactions,
        'documents': documents,
        'exported_at': datetime.now().isoformat()
    }
    
    return json.dumps(export, indent=2)

Data Retention

Incident Response

Reporting Security Issues

If you discover a security vulnerability:

🚨 Do NOT:

• Post in public forums
• Share details on social media
• Exploit the vulnerability

✅ Do:

1. Email [email protected]
2. Include:
   • Description of vulnerability
   • Steps to reproduce
   • Potential impact
   • Your contact information

Response Timeline:

• Initial acknowledgment: Within 24 hours
• Severity assessment: Within 48 hours
• Remediation: Based on severity (critical: 7 days, high: 30 days)

Breach Notification

In the event of a data breach affecting your tenant:

• Notification within 72 hours (GDPR requirement)
• Details of affected data
• Remediation steps taken
• Recommendations for your users

Penetration Testing

Privé undergoes:

• Annual third-party penetration testing
• Quarterly vulnerability scans
• Continuous security monitoring

Customer Penetration Testing:
If you wish to conduct penetration testing on your Privé integration:

1. Notify Privé 30 days in advance
2. Scope testing to your tenant only
3. Schedule during agreed maintenance windows
4. Share findings with Privé security team

Network Security

IP Whitelisting

For enhanced security, restrict API access to specific IPs:

POST /restful/settings/security/ip-whitelist
Authorization: Bearer {token}

{
  "allowedIPs": [
    "203.0.113.10",
    "203.0.113.20/32",
    "198.51.100.0/24"
  ]
}

Webhook Security

When receiving webhooks from Privé, verify signatures:

import hmac
import hashlib

def verify_webhook(payload, signature, webhook_secret):
    expected_signature = hmac.new(
        webhook_secret.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()
    
    return hmac.compare_digest(signature, expected_signature)

# In webhook handler
if not verify_webhook(request.body, request.headers['X-Webhook-Signature'], WEBHOOK_SECRET):
    return 401  # Reject invalid signature

Compliance Reporting

Audit Trail Access

Export audit logs for compliance reviews:

GET /restful/audit/logs?startDate=2024-01-01&endDate=2024-12-31
Authorization: Bearer {token}

Response:

{
  "logs": [
    {
      "timestamp": "2024-06-15T14:23:10Z",
      "user": "[email protected]",
      "action": "CREATE_CLIENT",
      "resource": "CLIENT-12345",
      "ipAddress": "203.0.113.45",
      "status": "SUCCESS",
      "requestId": "req_abc123"
    }
  ]
}

Regulatory Reports

Privé can generate compliance reports for:

• MiFID II transaction reporting
• Position reporting
• Best execution reports

Contact your Privé representative to enable regulatory reporting for your tenant.

Security Checklist

Before going to production, ensure:

• Credentials stored in secure vault (not hardcoded)
• Separate UAT and Production credentials
• TLS/HTTPS enforced on all connections
• Token expiration handling implemented
• Error messages don't expose sensitive data
• Input validation on all user-provided data
• Rate limiting respected
• Audit logging enabled in your application
• Incident response plan documented
• GDPR data export process tested
• Security training completed for developers