Syncfy, the most secure Open Finance platform

At Syncfy, our number one priority is to protect financial information.

As the leading Open Finance API, we are aware of how important it is to guarantee the security and confidentiality of data. To achieve this, we use a Zero Trust security model that allows us to always protect clients’ data.

What is the Zero Trust security model?

The Zero Trust security model is based on the premise that no entity, whether inside or outside the organization, can be fully trusted to have access to the organization's systems and data. In other words, every user, device, and system must be authenticated, authorized, and verified before access is granted. It's about verifying first and then trusting.

How is the Zero Trust model applied at Syncfy?

We adopt the Zero Trust model to protect our customers' financial data. Every API request we receive must go through multiple layers of authentication and authorization before being processed. In addition, we monitor to detect any suspicious activity and prevent unauthorized access to our customer information.

Authenticate and secure all network connections.

All network connections established between the parties involved, including internal services, external resources, administrators, and users, must be authenticated, and encrypted end-to-end. Data in transit and at rest is protected with different security measures.

Control access to resources and services.

Access to resources and services is authorized in accordance with the principles of minimum necessary access and minimum privilege to ensure that each user has access only to the resources they require to carry out their tasks. Access to confidential or critical resources is restricted through authentication and authorization mechanisms.

Always check and don't trust automatically.

A zero-trust approach is established, meaning the identity and behavior of users, devices and services will always be verified before allowing access to resources. This way, the attack surface is minimized.

Limit the time spent accessing resources.

Temporary and limited access is granted to the resources and services needed to complete a specific task.

Reduce the attack surface.

To reduce exposure to potential threats, the attack surface is constantly limited, segmented, and monitored. These actions are performed by applying security policies and strict access protocols, as well as firewalls, intrusion detection and prevention systems, among others.

How do we protect our infrastructure?

Syncfy uses numerous security measures at the server levels, physical and network, to protect the infrastructure against potential security threats. These include network segmentation, firewalls, intrusion detection systems, monitoring and alerting, remote access control, and server security. This ensures the availability, integrity and confidentiality of the systems and data that Syncfy manages.

Server security.

We regularly update our operating systems and services, use custom installations, and follow best practices, allowing us to be rigorous in configuring and enforcing access and service log policies.

Physical access.

We have physical surveillance and protection measures with modern 24x7 surveillance systems to prevent unauthorized access to our data centers.

Web Application Firewall (WAF).

Syncfy uses a WAF to protect web applications against potential vulnerabilities and attacks.

Intrusion protection.

An intrusion detection system (IDS) is responsible for monitoring and alerting potential security threats. In addition, servers and services are continuously monitored to detect any problems.

Remote access control.

To ensure security and control remote access to systems, mechanisms such as VPN, RSA encryption algorithms, and RBAC (role-based access control)  have been implemented.

How do we protect data in transit?

Protecting data in transit is crucial to ensuring the privacy and security of tax and financial information. In order to ensure the secure handling of all information,we implement security measures, such as secure encryption protocols for data transmission, security certificates to authenticate connections, and access controls to limit who can access data during transmission.

In addition, we ensure that our employees are trained in information security practices and can adequately protect data in transit and minimize the risk of exposure to sensitive data.

Secure HTTP (HTTPS). Syncfy uses the HTTPS protocol to protect communication between the user's browser and the Syncfy server. HTTPS uses the SSL/TLS protocol to encrypt the data that is transmitted between the client and the server, ensuring that the data cannot be intercepted or modified by third parties.

  • TLS 1.2 and 1.3. Syncfy uses the TLS 1.2 and 1.3 protocols to establish secure connections using end-to-end encryption and protect data in transit.
  • HTTP/2. Syncfy uses the HTTP/2 protocol to improve the speed of data transfer and reduce latency, which improves the user experience.

Authentication. Syncfy requires users to authenticate before accessing their data. They can do this using a variety of authentication techniques, such as the use of usernames and passwords, API keys, and session tokens.

Inbound file analysis. Syncfy uses antivirus and antimalware software on all computers to detect and prevent attacks.

Data encryption. Syncfy uses encryption techniques to protect data in transit and at rest. The data is encrypted using advanced encryption algorithms, thus ensuring that the data is unreadable to third parties.

Registration of requests. Syncfy logs all incoming and outgoing requests to detect and prevent unauthorized access attempts.

Obfuscation of sensitive data. Syncfy uses obfuscation techniques to hide sensitive information, such as usernames and passwords.

How do we protect data at rest?

For Syncfy, data security at rest is a priority. We use a combination of advanced security measures and state-of-the-art encryption technologies. This ensures that the tax and bank information we handle will always be safe and protected.

The security measures we use include AES 256 encryption keys, a hardware security module (HSM) for storing encryption keys, robust data management policies, key rotation, business data isolation, and data masking, among others. We regularly back up data and offer the option of destroying data if requested by our customers.

Encryption of sensitive data

Syncfy uses encryption techniques to protect businesses' sensitive data. This means that any sensitive information is encrypted before being stored in the database and can only be decrypted using a special encryption key, so even if an attacker intercepts the data, it can’t be read.


These are carried out regularly to ensure the availability and protection of data in the event of loss or damage. Techniques such as incremental, differential or full backups, among others, can be used to make backups.

Advanced security protocols

Syncfy uses advanced security protocols to protect data at rest, such as end-to-end encryption and user authentication to prevent unauthorized access to data.

  • Key rotation. To further protect data at rest, Syncfy regularly rotates encryption keys. This ensures that even in the remote event that a key is compromised, the damage is limited to a small set of data.

Strict information management policies.

Syncfy has clear and strict data management policies to ensure the protection of data at rest. These policies include restricted access to sensitive data, ongoing monitoring of each user's activities, and implementing additional security controls, as needed.

  • Expiration of data and records. Syncfy sets expiration dates for data and access logs to ensure that data is not stored longer than necessary and is securely deleted when it is no longer needed.

  • Destruction of data at the user's request. Syncfy guarantees the deletion of data at any time. Syncfy complies with these requests quickly and securely to ensure that data is permanently deleted.

  • Data isolation. Syncfy uses data isolation techniques to keep data separate and secure between different areas of the company. The purpose of this is to protect the confidentiality and security of data, limiting access only to employees who need to use it to carry out their tasks. This security measure also applies to ensure that the data of each Syncfy customer is protected and separated from the data of other companies that use the company's services.

  • Data masking. Syncfy uses data masking techniques to protect sensitive data at rest. This involves replacing sensitive data with fictitious values to protect them from unauthorized access.

Safety Culture at Syncfy

Security is a top priority at Syncfy and is an integral part of its business culture. The company seeks to ensure that user information and financial and fiscal data, in addition to credentials, are protected against any type of security threat.

Syncfy strives to maintain a high level of security through a variety of security practices and policies:

Continuous improvement.

At Syncfy, continuous improvement is an important practice in the safety culture. We strive to keep up with the latest security threats and to adapt to the changing needs of its customers and the market. To achieve this, the company continuously implements new security policies and technologies, and we ensure that all security practices are constantly evaluated and improved.

ISO 27001

Syncfy obtained ISO 27001 certification, which means that it complies with international information security standards. Syncfy is committed to keeping its security practices up to date and undergoes regular audits to confirm that it meets the requirements of the standard.

Pen testing and risk inspections.

Security experts perform periodic penetration tests and inspections to identify vulnerabilities and assess the resilience of systems. This approach ensures that Syncfy follows security best practices and undergoes a process of constant improvement.

Ongoing training on cybersecurity issues.

Syncfy constantly trains its employees on information security so that they are alert to security risks and threats. Employees are instructed on how to detect and report potential threats and take preventive measures to keep data secure.

Safety is everyone's responsibility.

At Syncfy, information security is a shared responsibility. All employees are instructed to report any suspicious activity, which helps ensure that security issues are detected and addressed in a timely manner. In addition, a culture of safety is promoted through different awareness-raising initiatives.

Secure coding practices.

Syncfy developers follow secure coding practices to ensure that software is protected against security vulnerabilities. In addition, the company uses code security analysis tools to identify security issues during the development process.


Open Web Application Security Project (OWASP) is a global community dedicated to improving software security. We follow OWASP recommendations to develop and keep our applications and systems secure. This includes using tools to detect and prevent security vulnerabilities, reviewing code to discover potential problems, and always implementing good security practices.

Restrictive data access protocols.

To ensure that only authorized users have access to the necessary information, Syncfy uses restrictive access protocols. In addition, confidential and personal information is shared only with authorized individuals and is handled with the highest degree of privacy. All Syncfy systems and applications are designed to limit access to data to only those users who require it.

Limited scope for troubleshooting.

Security issues are addressed and resolved within a limited and defined scope. This means that security teams have a clear framework for addressing issues and don't waste time on issues that are beyond their reach or competence. It also helps to ensure that solutions are specific and focus on areas that need attention.

Access limited by time.

We control and monitor access to sensitive systems and data. Access is granted only for the time needed to complete a specific task and is revoked immediately thereafter. This reduces exposure to security threats and ensures that sensitive information is always protected. In addition, we implement monitoring and logging mechanisms to detect and alert in real time about any suspicious activity.

The security culture at Syncfy.

Is based on the implementation of rigorous security measures at all stages of software development and system operation. From training all employees in security to implementing restrictive data access protocols, to performing penetration tests and regular external audits, the goal is to ensure that the privacy and security of our customers' information is always a top priority.

Syncfy securitySyncfy, the most secure Open Finance platform.