DORAedge Documentation
  • Feature Descriptions
  • Regulatory Overview
    • Chapter I: Scope & Descoping (Articles 1-4)
    • Chapter II: ICT Risk Management (Articles 5-16)
    • Chapter III: Incident Reporting (Articles 17-23)
    • Chapter IV: Digital Operational Resilience Testing (Articles 24-27)
    • Chapter V: Managing of ICT third-party risk (Articles 28-44)
    • Chapter VI: Information-sharing Arrangements (Article 45)
    • Chapter VII: Competent Authorities (Articles 46-56)
      • Competent Authorities
    • Chapter VIII: Delegate Acts (Article 57)
    • Chapter IX: Transitional and Final Provisions (Articles 58-64)
  • Exportable Documents in DORAedge
  • Resource Center
    • IT Security Overview
    • Terms & Conditions
    • Data Processing Agreement (DPA)
Powered by GitBook
On this page
  1. Resource Center

IT Security Overview

PreviousResource CenterNextTerms & Conditions

Last updated 6 months ago

Performativ, encompassing DORAedge, is an ISO 27001-certified fintech SaaS provider, committed to the highest standards of data protection and security. We comply with GDPR and align with NIST CSF 2.0 to ensure a strong security posture while delivering fast and scalable solutions for our clients.

Governance & Process

  • Security Leadership: Our CTO, with over 20+ years of experience leading core technology products at highly regulated financial institutions, leads the security strategy and chairs our Risk Control Group which is a collection of our senior operational, technical and security staff, who meet at least monthly to do organization level incident postmortems and risk assessments reporting to the Board.

  • SecOps Team: A dedicated team oversees security infrastructure changes, championing cloud security best practices and ensuring adherence to compliance standards across the company. They also provide technical and process guard rails for the entire technology and data lifecycle.

  • Risk Management System: We operate a comprehensive and highly automated system of risk management, that is integrated into all aspects of our technology and process tool chain and serves as the real time central control center and single pane of glass to consolidate and manage risk in the company on a real time basis.

  • Procedures and Processes: We have formalized operational processes from on and off boarding of customers, and their clients, through to daily operational and data health checks, and operate a comprehensive suite of controls and data reconciliation checks with discipline. Continuous Learning and post-mortem activity are built in as a feedback loop to all core Operational and Technical activities, with an 24/7/365 Incident Rota with global coverage for both first line and escalation paths to the CTO. For all our public policies, see our .

  • ISO 27001 Certification: We undergo an annual recertification process with penetration testing. Continuous monitoring and control are achieved through automated risk management, supported by NIST CSF conformance packs and AWS Config Manager.

  • Guiding Principles: We stay up to date with, and review major security standards, and select the most applicable ones for our clients, with a cultural bias to more security than required. We follow security principles such as least-privilege, shift-left of security, and defense in depth and we take part in the security and fintech communities.

IT Security

  • Access Control & Identity Management: Multi-factor authentication (MFA) and Single Sign-On (SSO) are enforced across all sensitive systems. Privileged access is granted only temporarily and is fully auditable. Performativ/DORAedge staff have no routine access to sensitive data. In exceptional cases, temporary, auditable access is requested through AWS Session Manager. Timely onboarding (background checks) and off boarding processes (access revocation) are rigorously enforced.

  • Network Security: Following AWS Well Architected and Security Best Practices our networks are partitioned into layers from Public through Private through Isolated with least-privilege Layer 3 and Layer 4 firewalls (security-group), where all public facing APIs and Websites are further protected by Layer 7 firewalls (WAF).

  • Infrastructure Security: We leverage set of best-practice security active policies combined with active intrusion and threat detection as well as infrastructure as code patterns to ensure our infrastructure configurations in the cloud are within security best practice guidelines.

  • Software Security: We leverage binary scanning of deployed software as well as a rigorous patch upgrade SLA supported by tooling ensuring vulnerabilities in binary code or 3rd party libraries are identified and fixed quickly.

  • Web Security: We use standard libraries and frameworks that protect against the main web attack vectors as well as doing continuous static analysis including analysis for known code level security exploits or bad practices within our continuous delivery pipelines. We also deploy all web sites and APIs behind web application Layer 7 firewalls as standard. We conduct at least annual penetration testing.

  • API Security: API services leverage OAuth2 with token rotation, mTLS, API keys, and IP whitelisting. System-to-system trust ensures complete isolation between customers.

  • Device Security: We deploy monitoring and policy enforcement software agents to all staff devices for enhanced endpoint security.

  • Third-Party Risk Management: Suppliers are regularly assessed for security compliance. Key suppliers such as AWS and Auth0 are ISO and SOC certified, with data protection clauses embedded in contracts,

Data Security

  • Data Inventory / Classification: We deploy multitenancy through isolation of data stores. All data that is stored is classified as to whether it contains personally identifying information or is generally sensitive, and if in any doubt we consider it sensitive. All sensitive repositories of data are tagged automatically ( AWS CDK ) and through that tagging process rules of encryption, backup and retention are enforced.

  • Data Encryption: All sensitive data at rest is encrypted using AES-256, while data in transit uses TLS 1.3 with AES_128_GCM encryption and X25519 key exchange.

  • Data Privacy: Access to sensitive data by Performativ/DORAedge personnel is prohibited during routine operations. Highly sensitive data, such as access credentials, is separately stored with independent keys. Short-lived access can be granted for critical operational support or by arrangement for operational roles.

  • Data Ownership: We ensure you can easily access or export your data, supporting open API standards and integration flexibility. Your data is never locked into our platform, if you want to export your data you can interoperate with other systems or if you leave us. We do not share it with any 3rd parties unless they are granted under data processing agreements as vital to the operation of our services.

  • Data Sovereignty: Client data is stored regionally, never transferred across regions unless required. Our default region is Stockholm (EU), but we support non-EU data residency as needed by your local regulatory need or policy.

  • Data Backup: All client data is backed up in independent backup accounts, outside of the primary region in a secondary EU region. The data is backed up at least once a day and is in encrypted data stores, which in the event of an incident can be used to restore from.

  • Confidentiality: Access to client data is on a need-to-know basis in order to best serve and provide support to the customer.

    • DORAedge systems run on domain-specific services that work with as lean of data structures as possible, minimizing the services that have access to client names.

    • All data in the DORAedge system is available through modern, secure APIs. Dependent on security settings, this is available through token-based encryption based on JWT. The front-end resources do not share any confidential information in the browser or app cache.

    • We use OpenAI’s LLM models as the basis for our AI features. OpenAI is SOC2, ISO27001 compliant, encrypts data at rest (AES-256) and in transit (TLS 1.2+). Ownership of your data remains with you. OpenAPI does not train models based on any data provided by you. We operate only with the European subsidiary of OpenAI.

Trust Center