Salt Edge Security


An ever-expanding number of leading FinTech companies, banks, and other financial institutions trust Salt Edge to deliver Open Banking data aggregation API, Open Banking payment initiation API, PSD2 compliance solutions, and white-label products. The trust is the result of a constantly evolving information security management system, which includes internal policies, regular audits, comprehensive instructions and valuable documentation on “why” and “how” the information assets are being protected.

Salt Edge is a leading global Open Banking solution provider that has a proactive approach towards information security. The company is ISO 27001 certified in scope of “developing, managing, and providing financial IT services”, as well as PCI DSS compliant, which represents a guarantee of high-security requirements and standards.

Credentials Transfer and Storage

Salt Edge uses multiple encryption layers as well as tokenization technology to protect the most valuable data in our possession. The entire communication is done via TLS encrypted channels. The credentials are encrypted at least twice and they can be accessed only with one-time tokens. That means that if there is a breach in transmission, or if the public-facing Salt Edge API Gateway servers are compromised, the attackers will not be able to read the credentials.

  1. End-customer shares Credentials with Salt Edge API Gateway via a secure TLS channel
  2. Salt Edge API Gateway encrypts the Credentials with a public key, using RSA and AES 256 bit, and then sends them to the Credential Storage
  3. Credentials Storage encrypts the credentials once more and creates a unique, one-time Token
  4. Credential Storage sends the Token to the Salt Edge API Gateway
  5. Salt Edge API Gateway starts fetching of the data or the payment initiation
  6. Salt Edge Processing Servers read the encrypted Credentials using the one-time Token
  7. Salt Edge Processing Servers decrypt the Credentials using the private key
  8. Salt Edge Processing Servers perform the action (fetch data or initiate payments) using the Credentials
  • - All communication between parties is done via secure TLS channels
  • - Token - a randomly-generated string that can be used to access encrypted details only once

Infrastructure Security

Salt Edge uses multiple defensive layers in order to protect end-customer data. Access to the company systems requires multi-factor authentication. The databases are both physically and logically protected from general employee access. All employees sign a non-disclosure agreement and go through a background and criminal records check before starting to operate. Once a new staff member is hired, he/she goes through a rigorous educational program about security and privacy of data. All company visitors are escorted by authorized personnel.

Salt Edge is regularly performing internal and external penetration tests in order to identify all the risks related to its network, services security, processes around the networks and applications. In order to ensure information system uptime, data integrity and availability, and business continuity, Salt Edge has implemented a Business Continuity/Disaster Recovery Plan.


Salt Edge serves hundreds of thousands of end-customers on a daily basis. Therefore, one of the company's top priorities is to ensure a consistent and fluid user experience. The company’s engineers take a data-driven approach to performance, by collecting a wide range of metrics from logs. Performance enhancement is a never-ending process. Salt Edge ensures a 99th percentile HTTP response time of 250ms for all its public endpoints.


The DevOps team is extensively monitoring the company’s systems and services to ensure that all products have stellar availability and performance. Besides the automated and data-driven tools for monitoring, there is also a 24/7 incident reporting channel available to clients, which can be used to notify Salt Edge for immediate action.

General Data Protection Regulation (GDPR)

Salt Edge handles personal data of end-customers located worldwide, including individuals residing within the EU. Therefore, the company’s standards of data processing put the utmost efforts to ensure compliance with GDPR. This is the most impactful change in data privacy regulation for the past 20 years. GDPR is a regulation issued by the European Commission, the European Parliament, and the Council of Ministers of the European Union, with the goal to improve the protection of personal data within the European Union. Being compliant with the GDPR means that the security and privacy of the provided services are always at the forefront of Salt Edge’s business.

Revised Payment Services Directive (PSD2)

Salt Edge is part of the global financial technology industry. An important part of the company’s clients are based and activate in the European Union. With January 13th, 2018 being the implementation date of the Revised Payment Services Directive (PSD2), Salt Edge is preparing to become a registered AISP (Account Information Service Provider). Being compliant with AISP requirements under PSD2 means that Salt Edge has to maintain a high security and privacy level with respect to its services, servers, data centers, networks, employees, policies and business processes.

ISO/IEC 27001:2013

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. Being ISO 27001 certified in scope of “developing, managing, and providing financial IT services”, Salt Edge demonstrates that its services meet the expectations of their customers and that the data is handled in accordance with the highest international security requirements and standards.


Salt Edge’s Security, Privacy, and Performance Paper


Request a Demo

Get a first-hand experience with our global leading software to see the full range of opportunities that are unlocked for you and your company

Please complete this mandatory field
Please complete this mandatory field
Invalid email.
Please select an option from the dropdown
Please complete this mandatory field
Please select an option from the dropdown
Please complete this mandatory field

Which product are you interested in?