Security & Privacy

Platform

Actuals is ISAE 3402 certified and part of that are security controls covering backups, secure data transport, extensive monitoring and more. Data for customers are stored in completely separated environments, using specific credentials. Actuals also performs security audits such as but not limited to pen tests periodically. The web interface is accessible (only) through HTTPs and multifactor login mechanisms are encouraged. For specific security questions, feel free to reach out to support@actuals.io.
Image without caption

Integrations

Actuals uses 3 different methods for connecting to data sources
  • (REST) API (Robo auditor) for receiving real time transactional data
  • sFTP for receiving files send (periodically by customers)
  • Source specific integration when Actuals actively collects data from a source
The Actuals API uses the API-key (unique value per customer/user) as means of authentication and requires HTTPs connections to guarantee security. This means the Actuals API can only be accessed through the secure HTTPs protocol. All of the API clients that are published, use HTTPs. End-to-end safety on the transport level is guaranteed by the HTTPs-requirement. Hence there is no need to encrypt the data itself again. HTTPs mitigates packet sniffing and timing & replay attacks. Thanks to HTTPs, data exchanged between Actuals and the external system is protected and guaranteed to be authentic. HTTPs implements hashed signatures, nonces and other tried and tested cryptographic safeties which can be implemented upon request. Man-in-the-middle attacks are prevented by strictly checking the HTTPs-certificate.
For the sFTP connection similar arguments hold when it comes to data encryption and security measures. The source specific integrations as described in the section Connect data sources typically have similar integration measures and/or use Oauth.

Sensitive information

While dealing with transaction data Actuals typically recommend to limit the amount of personal data. For matching transactions, (unique) transaction ids are required without requiring additional details on the customer (as long as the transactionid can be used to identify the transaction in the other sources). All data is stored encrypted in a secure environment. If desired the Actuals platform can be deployed on premise.