NexaFin's security programme is built to the standards demanded by the world's most regulated industry. Every layer of our infrastructure is designed to protect your business and your customers.
We hold the highest certifications available to a payment infrastructure company — not because we have to, but because our customers demand it.
Authorised as an Electronic Money Institution and Payment Institution by the UK Financial Conduct Authority. Passporting rights across all EEA member states via Irish Central Bank licence.
The highest level of Payment Card Industry Data Security Standard compliance. Assessed annually by an independent Qualified Security Assessor (QSA). Covers all card data environments.
Certified Information Security Management System (ISMS) meeting the 2022 revision of the international standard. Covers all NexaFin systems, processes, and personnel globally.
Independent third-party audit of our Security, Availability, and Confidentiality trust service criteria. Audited by KPMG. Reports available to Enterprise customers under NDA.
Fully compliant with both UK GDPR (UK Data Protection Act 2018) and EU GDPR. Data Processing Agreements available for all customers. Standard Contractual Clauses in place for international transfers.
UK government-backed Cyber Essentials Plus certification, verifying our technical security controls against common cyber threats. Independently tested by CREST-accredited assessors.
NexaFin's payment infrastructure is designed with defence-in-depth principles. Multiple independent security layers ensure that no single failure or compromise can expose your business or your customers' data.
Production systems run simultaneously across three AWS regions (Ireland, London, Virginia) with automated failover in under 30 seconds. No single region failure can cause downtime.
Payment processing systems are isolated in separate network segments. All internal service-to-service communication requires mutual TLS authentication. Zero-trust networking policy enforced throughout.
24/7 Security Operations Centre (SOC) monitoring with automated threat detection, SIEM integration, and 15-minute mean time to detection for anomalous behaviour.
External penetration tests conducted quarterly by three independent security firms. Annual red team exercise simulating sophisticated nation-state-level attacks.
Multiple encryption layers, strict access controls, and regular independent audits ensure your data stays yours.
All data encrypted with AES-256 at rest across every storage system. Database encryption, object storage encryption, and backup encryption are all enforced by default.
All data in transit protected by TLS 1.3. Certificate pinning enforced in all mobile SDKs. HSTS headers with 2-year max-age on all web endpoints.
Card numbers are never stored on NexaFin servers post-transaction. All card data immediately tokenised using PCI-DSS compliant vault. Network tokens issued from Visa and Mastercard directly.
Encryption keys managed via AWS KMS with Hardware Security Module (HSM) backing. Key rotation enforced annually. Master keys split across three independent key custodians.
Role-based access control throughout. All admin access requires multi-factor authentication and VPN. Privileged access management (PAM) with just-in-time access provisioning.
Comprehensive audit trail for all data access, modification, and deletion. Logs immutable and retained for 7 years. Real-time SIEM alerting on anomalous access patterns.
Fraud Shield is NexaFin's flagship AI fraud prevention system. Unlike rules-based systems that can be reverse-engineered and circumvented, Fraud Shield uses ensemble machine learning trained on 18 billion transactions across our entire customer network.
When fraud is detected on any transaction across our 3,800+ customer base, the signal is immediately incorporated into our models — protecting every customer from new attack patterns the moment they're identified. Fraud criminals can't test their techniques on small customers before scaling to larger ones.
Fraud Shield evaluates 850+ signals per transaction and returns a decision in under 50ms — fast enough to be invisible to your customers, accurate enough to reduce chargebacks by an average of 87%.
We believe in the security community as a partner in keeping NexaFin and our customers safe. Our public bug bounty programme rewards researchers who find and responsibly disclose security vulnerabilities in our systems.
Our programme is managed in partnership with HackerOne and has paid out over £2.8M in bounties since launch in 2021. We maintain a hall of fame for top contributors and take pride in our average 6-hour response time to disclosed vulnerabilities.
We commit to:
| Severity | CVSS Score | Bounty Range |
|---|---|---|
| Critical | 9.0 – 10.0 | £10,000 – £50,000 |
| High | 7.0 – 8.9 | £2,000 – £10,000 |
| Medium | 4.0 – 6.9 | £500 – £2,000 |
| Low | 0.1 – 3.9 | £100 – £500 |
| Informational | 0.0 | Recognition only |
api.nexafin.io, dashboard.nexafin.io, open-banking.nexafin.io, iOS/Android apps. Authentication, authorisation, payment processing, data access, PII exposure.