Francis Lepine is Flinks' Data Protection Officer. He speaks fluent data privacy, system security, entrepreneur, and auditor — so he explains what we are doing, and why, in plain English.

Security at Flinks FAQs: Everything You’ve Ever Wanted to Know

By Francis Lepine on December 23rd, 2019

An ever-growing number of banks, fintechs, and other financial service providers trust Flinks to aggregate and enrich financial data for them. Because, like us, they care about their customers, it’s only natural they make sure we handle data the right way.

Whenever they have questions, we provide straight answers. And since we’re not shy, we thought we’d share them with you too.

Save this information for later. Download as a pdf.

Quick links

Governance

Data Management

Security

Compliance & legal

Governance

You deal with sensitive information. How do you make sure it doesn’t get compromised? (In other words, how well do you sleep at night?)

At Flinks, we firmly believe that having the best security practices today doesn’t amount to much if they don’t evolve continuously, as new threats emerge.

Exhibit A: the Great Wall of China. Incredible line of defense… against horse-riding invaders.

Effective security starts with effective governance.

Our Security and Privacy Committee brings together all the key stakeholders at Flinks to make sure security governance is a continuous process — not an event. They routinely meet to:

  • assess risks and vulnerabilities
  • implement appropriate controls
  • perform internal audits to make sure they are effective

They probably have tea and biscuits, too.


As an example, here’s a version of the Vulnerability Discovery Strategy that the committee has implemented. It has two main components:

  • Flinks scans. Flinks’ SecOps team leverages industry leading tools to perform automated and manual vulnerability scans.
  • Third-party scans. On a regular basis, Flinks mandates a third-party vendor to conduct penetration testing against Flinks’ hosted services and APIs.

If a vulnerability is discovered, it is evaluated and treated following our Vulnerability Management Plan. Impacts, risks, and actions are documented for future references.

With this structure in place, everyone at Flinks — except maybe our 24/7 response team — sleeps like a baby. Thanks for asking.

Does Flinks have a documented Information Security Program in place?

We sure do!

The Security and Privacy Committee that we mentioned just above maintains a formal Information Security Program. Plus, everything we do falls under the watchful eyes of independent auditors.

Our latest SOC 2 Type II audit report is stellar.

If you have any questions or would like to request a copy, please contact our security experts.

Our security strategies and documents are inspired by ISO27001 for the ISMS, NIST for control selection and ISO21827 for the maturity model.

We constantly review the program to make sure that security measures adapt to changes and stay effective and efficient. You might say we’re in this for the long run!

Data Management

What do you have in place to protect end users’ sensitive information?

End users’ information is the most confidential and critical data we handle.

When it comes to protecting it, we enforce industry-leading security and isolation measures.

  • Isolation. Every one of our clients has its own private instance and secure database. We use token-based authorization and other measures to make sure all client communication with the Flinks API are legitimate.
  • Security. Data is encrypted in transit and at rest using the latest algorithms, such as AES-256. End users are assigned unique encryption keys, which are on regular and automatic rotation.

Let’s look at this from a broader perspective: Flinks’ entire security program, policies and procedures are built to ensure that end users’ information stays within its dedicated secure environment. Period.

We routinely subject our security systems, practices and procedures to internal and external audits to make sure they remain effective. For instance, Flinks partners with a well-renowned trust provider that conducts an annual SOC2 Type II audit on various controls.

Security

Do Flinks employees have access to end users’ information? (And how do you make sure they don’t?)

No employee, or third-party vendor for that matter, can access your end users’ information in any meaningful way — even when there is a legitimate purpose.

Here’s how we enforce it:

  • Encryption in transit and at rest. We make sure all sensitive information is not human-readable. It’s a fancy way to say we encrypt everything that lands on our servers. So even if someone could access it, all they would see is nonsensical characters, not the actual data that exists there.

    If that sounds like data security 101, trust your instincts. But even in 2019, big tech businesses sometimes store sensitive data in plain text. So, yes, we sweat the small stuff. It builds a strong foundation.

  • Segregation of duties and least privilege. Those are the organizing principles we use to control data access. Let’s start with least privilege access. The work of most Flinks employees is many degrees removed from actual end user information. As a result, they don’t need to be granted any access, direct or indirect, to the data.

    A select few employees need to work closer to end user data. They are granted the absolute minimum level of access they need to perform their duties. And this is where segregation of duties takes place: we split their tasks into parts that are assigned to different people, making sure no one is solely in control.

Compliance & legal

What are the oversights for what you do, at the federal or provincial levels?

Despite a lack of specific regulatory frameworks over financial data sharing, financial data aggregators have existed in for almost a generation now. Taking a look at some of their websites, you can really tell. More to the point: what we do is hardly a new or fringe phenomenon.

In the US and Canada, there is no open banking framework. But that doesn’t mean there’s a complete lack of regulation over what we do.

While we’re waiting for open banking to specifically regulate the sharing of financial data, Flinks operates under and is compliant with the relevant applicable privacy laws. This includes PIPEDA, Canada’s federal privacy and data protection law.

And not only do we closely monitor the legislative and regulatory landscape in this respect; we’re also involved in its remodelling.  Flinks was an active participant in the government consultation on the merits of open banking, and follows the various other government initiatives that are currently shaping our future open banking regime. Flinks is a member of FDATA North America, and our CEO sits on the Technological Innovation Advisory Committee of the AMF — Québec’s securities regulators — and on the Standards Council of Canada’s Financial Services Technical Committee.

Consumers share their banking information through Flinks. Are they allowed to do this?

Nothing prevents an individual from sharing their bank account information. Think about it: you were probably required a number of occasions by service providers to share a bank statement with them in order to access their service. You can think of Flinks as simply the automated, digital (and secure!) way of doing so. Furthermore, banks themselves are collecting their clients’ information from accounts they hold at other institutions.

Sharing bank and financial information has been a common thing to ask consumers for years. All sorts of institutions and businesses rely on void checks, bank statements and tax returns to operate and deliver services. Too often, such sensitive information is shared through email — and we’ve heard of even less secure means of communication being used.

Flinks’ model is based on the consent of end users and provides a highly secure digital channel to share financial information.

Ask us anything

You take security very seriously. We do, too.

If there’s anything you want to discuss, we’d love to hear from you.

Simply contact our security experts.

You might also like


How Fintechs Should Tackle Security: 5 Pillars of Our Security Strategy

When consumers’ data security is at stake, rigorous risk management is the name of the game — read on, this might help you build your own security strategy.

As more and more consumers connect their bank accounts to apps and other services, some wonder what technology is enabling them to do so.

What Your Customers Are Thinking About When They Get Asked to Connect With Flinks

As more and more consumers connect their bank accounts to financial apps and services, some want to learn more about the technology enabling them to do so.

Stay up to date