Last Updated March 14, 2023
- 2. Description of Service
- 3. Information Required From You
- 4. Links To Third-party Sites
- 5. Registration And Use
- 6. Legal Uses
- 7. Support
- 8. Storage, Deletion, Or Transport Of Data
- 9. Communication
- 10. Rights Granted By You
- 11. Intellectual Property
- 12. Prohibited Activities
- 13. Security And Privacy
- 14. Security Of Information
- 15. Data Sharing
- 16. Disclaimer
- 17. Limitation Of Liability
- 18. Applicable Law
13. Security And Privacy
We set out below the risks of using Brankas Direct and the relevant security measures applied.
Risks of using Brankas Direct
We outline the risks of your use of Brankas Direct, as well as provide a brief overview of how we address such risks:
- When You provide your log-in credentials, Brankas Direct may, in the absence of bank- managed APIs made available to the Company, automate Your log-in process through its use of robotic processing automation (RPA) in connecting with Your source bank account to the beneficiary bank account. Your credentials are safe since we employ data encryption to secure all communications between Your source bank account and our internal services across all Brankas systems. Likewise, we enforce a strict policy not to store Your Personal Data our systems. If storing sensitive end-user information is required by our Client to enable a certain function, Brankas hashes (using SHA256 with salts) the information to enable the functionality and only cache the information until the relevant process is completed. Further, we mask sensitive data on both persistence and presentation layers.
- Brankas provides a system that can be used by our Partner, in completing its transaction with You, to receive and forward funds transfer transactions from your source bank account to the destination bank account registered by our Client. In this regard, if there are problems in the process of transferring funds, which problems are not within the control of Brankas, but are on the side of the bank, then such problems are to be addressed by the bank. This is because all of the transactions You conduct using Brankas Direct remain to be between the bank and You, and we do not have access to your bank account or the bank’s internal systems For instance, the bank is in control in the event of a pending fund transfer transaction, either because the funds in your source bank account are insufficient or the bank system is under maintenance. If the fund transfer transaction is pending due to Brankas’ internal systems or operations, the transaction cannot be executed and the funds will not be deducted from your source bank account.
- You are obliged to ensure the security of your source bank account from unwanted factors, including but not limited to access by unauthorized parties. Brankas is not responsible in the event of a hack on your source bank account not connected to the transaction unless it is legally proved to be caused by Brankas. Brankas always implements the necessary steps to maintain the security of Brankas Services and Systems.
- Brankas can take actions required on the accounts and/or transactions, including but not limited to reviewing, blocking, and rejecting, in accordance with applicable laws and regulations.
- If the bank identifies a transaction as a high-risk or suspicious transaction, the bank and/or Brankas take the necessary actions in accordance with the provisions of the legislation, particularly in the provisions of Anti-Money Laundering and Counter-Terrorism Financing (AML and CFT).
Security Measures Applied to Brankas Direct
Apart from the ways by which we manage the risks for your use of Brankas Direct, we also implement the following security measures to ensure your safety and protection:
HTTPS / TLS
All unencrypted connections from third parties are rejected by Brankas. All external connections to our internal systems are encrypted and authenticated using TLS 1.2, ECDHE_RSA with X25519, and AES_256_GCM.
Our product development processes always pay attention to our code quality and the security of our product. In the same way, our external-facing services built for Clients have full support for authentication and strong password requirement, audit logging, and role-based access control. Our entire product delivery process and security aspects are constantly implemented and reviewed to ensure that Clients and End-User can trust using our Services.
All external-facing Brankas Services enforce Client authentication and authorization processes as part of our API specifications. Clients need to properly include their Brankas assigned authorization credentials as part of their request so that Brankas can ensure the authenticity of the caller for every transaction.
Containerization refers to the packaging of software code with just the operating system (OS) libraries and dependencies required to run the code to create a single lightweight executable—called a container—that runs consistently on any infrastructure.
Containerization provides not only operational benefits but eventually leads to improved security. Containerization offers a smaller surface to protect. The service can be more easily isolated when it is being compromised.
Brankas servers are containerized using and deployed to Google Cloud Platform (GCP). Your sensitive information, such as OAuth2 tokens, will be likewise stored and encrypted using AES256-GCM in GCP’s encrypted database.
No User-identifiable Logging & Storing policy
Once Your sensitive information is received, such as Your log-in credentials or bank account details, Brankas enforces a strict policy not to store them in our systems. If storing sensitive information is required to enable a certain function (such as the detection of concurrent logins to a bank’s online banking system), Brankas hashes (using SHA256 with salts) Your information to enable the functionality and only caches Your information until the relevant process is completed.
If sensitive information needs to be shown to You, such as bank account numbers, these are masked both on persistence and presentation layers.
Secure End-User Authentication and Authorization Environment
Brankas applies cutting-edge technology to ensure that no one else, including our Partners via which You are accessing the Brankas service, will not be able to view your banking information, including payment-related data.
This technology includes the following security features:
- Direct to Bank Integrations
The Brankas Tap facilitates Your interactions with Your source select bank account with the digital services of Your choice. Brankas Tap prevents any intervention from third parties by avoiding any touchpoints for potential data compromise or abuse.
- CSRF Tokens
Brankas Tap employs CSRF tokens to ensure that third parties cannot insert themselves into the Brankas Direct authentication and authorization flow, protecting the direct data exchange between You and Your bank.
- Secure Session Cookies
Brankas Tap additionally uses session cookies to ensure the uniqueness of Your access securing the session against potential attacks such as session hijacking.
- Scoped Permissions
All access to Brankas services are scoped, limiting access to Your bank account and digital banking services based on the approved scopes assigned to third party applications, ensuring that only the relevant data and operations required by Your approved processes are accessed and used by Brankas services.
- Direct to Bank Integrations