Enterprise-Grade Security

Security and compliance
you can build on

NexaFin's security programme is built to the standards demanded by the world's most regulated industry. Every layer of our infrastructure is designed to protect your business and your customers.

Certifications & Authorisations

Regulated and certified at every level

We hold the highest certifications available to a payment infrastructure company — not because we have to, but because our customers demand it.

FCA Authorised

FCA Reg. No. 924581

Authorised as an Electronic Money Institution and Payment Institution by the UK Financial Conduct Authority. Passporting rights across all EEA member states via Irish Central Bank licence.

PCI-DSS Level 1

Certificate No. PCI-2026-NF-001

The highest level of Payment Card Industry Data Security Standard compliance. Assessed annually by an independent Qualified Security Assessor (QSA). Covers all card data environments.

ISO 27001:2022

Certificate No. IS 8734829

Certified Information Security Management System (ISMS) meeting the 2022 revision of the international standard. Covers all NexaFin systems, processes, and personnel globally.

SOC 2 Type II

Available on request

Independent third-party audit of our Security, Availability, and Confidentiality trust service criteria. Audited by KPMG. Reports available to Enterprise customers under NDA.

GDPR

UK & EU GDPR

ICO Reg. No. ZA842913

Fully compliant with both UK GDPR (UK Data Protection Act 2018) and EU GDPR. Data Processing Agreements available for all customers. Standard Contractual Clauses in place for international transfers.

Cyber Essentials Plus

Cert. No. CE-2026-58291

UK government-backed Cyber Essentials Plus certification, verifying our technical security controls against common cyber threats. Independently tested by CREST-accredited assessors.

Multi-layer security architecture

NexaFin's payment infrastructure is designed with defence-in-depth principles. Multiple independent security layers ensure that no single failure or compromise can expose your business or your customers' data.

Multi-Region Active-Active Deployment

Production systems run simultaneously across three AWS regions (Ireland, London, Virginia) with automated failover in under 30 seconds. No single region failure can cause downtime.

Network Segmentation & Zero Trust

Payment processing systems are isolated in separate network segments. All internal service-to-service communication requires mutual TLS authentication. Zero-trust networking policy enforced throughout.

Continuous Security Monitoring

24/7 Security Operations Centre (SOC) monitoring with automated threat detection, SIEM integration, and 15-minute mean time to detection for anomalous behaviour.

Penetration Testing & Red Team Exercises

External penetration tests conducted quarterly by three independent security firms. Annual red team exercise simulating sophisticated nation-state-level attacks.

NexaFin Security Architecture External Internet Traffic Untrusted · All requests authenticated and rate-limited WAF · DDoS Protection · CDN Cloudflare Enterprise · 100Tbps DDoS capacity · TLS 1.3 termination API Gateway · Auth Service JWT validation · API key auth · Rate limiting · Request signing Application Layer (mTLS) Zero-trust · Encrypted service mesh · Audit logging Data Layer (AES-256) Encrypted at rest · KMS key management · HSM 24/7 SOC · SIEM · Threat Detection
Data Protection

How we protect your data

Multiple encryption layers, strict access controls, and regular independent audits ensure your data stays yours.

Encryption at Rest

All data encrypted with AES-256 at rest across every storage system. Database encryption, object storage encryption, and backup encryption are all enforced by default.

Encryption in Transit

All data in transit protected by TLS 1.3. Certificate pinning enforced in all mobile SDKs. HSTS headers with 2-year max-age on all web endpoints.

Card Data Tokenisation

Card numbers are never stored on NexaFin servers post-transaction. All card data immediately tokenised using PCI-DSS compliant vault. Network tokens issued from Visa and Mastercard directly.

Key Management

Encryption keys managed via AWS KMS with Hardware Security Module (HSM) backing. Key rotation enforced annually. Master keys split across three independent key custodians.

Access Controls

Role-based access control throughout. All admin access requires multi-factor authentication and VPN. Privileged access management (PAM) with just-in-time access provisioning.

Audit Logging

Comprehensive audit trail for all data access, modification, and deletion. Logs immutable and retained for 7 years. Real-time SIEM alerting on anomalous access patterns.

Fraud Shield · Real-Time Analysis 850+ Signals Evaluated Per Transaction < 50ms Average Decision Latency -87% Chargeback Rate Average Reduction

AI-powered fraud protection that learns

Fraud Shield is NexaFin's flagship AI fraud prevention system. Unlike rules-based systems that can be reverse-engineered and circumvented, Fraud Shield uses ensemble machine learning trained on 18 billion transactions across our entire customer network.

When fraud is detected on any transaction across our 3,800+ customer base, the signal is immediately incorporated into our models — protecting every customer from new attack patterns the moment they're identified. Fraud criminals can't test their techniques on small customers before scaling to larger ones.

Fraud Shield evaluates 850+ signals per transaction and returns a decision in under 50ms — fast enough to be invisible to your customers, accurate enough to reduce chargebacks by an average of 87%.

18B+
Transactions in training data
99.97%
True positive rate
0.08%
False positive rate

Responsible disclosure & bug bounty

We believe in the security community as a partner in keeping NexaFin and our customers safe. Our public bug bounty programme rewards researchers who find and responsibly disclose security vulnerabilities in our systems.

Our programme is managed in partnership with HackerOne and has paid out over £2.8M in bounties since launch in 2021. We maintain a hall of fame for top contributors and take pride in our average 6-hour response time to disclosed vulnerabilities.

We commit to:

  • Acknowledge all valid submissions within 24 hours
  • Provide status updates every 5 business days
  • Pay bounties within 14 days of validation
  • Not pursue legal action against researchers who follow our disclosure policy
Submit a Report →

Bounty Tiers

Severity CVSS Score Bounty Range
Critical 9.0 – 10.0 £10,000 – £50,000
High 7.0 – 8.9 £2,000 – £10,000
Medium 4.0 – 6.9 £500 – £2,000
Low 0.1 – 3.9 £100 – £500
Informational 0.0 Recognition only
In Scope:

api.nexafin.io, dashboard.nexafin.io, open-banking.nexafin.io, iOS/Android apps. Authentication, authorisation, payment processing, data access, PII exposure.