Security & Compliance

Institutional-Grade Security for Every Financial Data Pipeline

Q: How is data encrypted at rest and in transit?

All data stored in FyleHub is encrypted at rest using 256-bit AES encryption with keys managed in a hardware security module (HSM). All data in transit is encrypted with TLS 1.3. There is no mechanism for unencrypted data transfer within the FyleHub platform.

Q: How do audit trails work in FyleHub?

FyleHub maintains an immutable audit log of every operation performed on every data record — ingestion, transformation step, quality check, delivery, access via API, user login, permission change, and configuration edit. Audit logs cannot be modified or deleted and are retained for a minimum of seven years.

Q: How does FyleHub handle GDPR and data residency requirements?

FyleHub supports data residency configuration — clients can specify that their data remains within a specific geographic region (US, EU, or UK). For clients subject to GDPR, FyleHub acts as a data processor and provides the necessary data processing addendum (DPA).

AES-256 encrypted, zero breaches since founding. FyleHub protects the most sensitive financial data in the world.

Book a Demo View Security Details

AES-256 EncryptionZero Breaches99.9% Uptime

Security Architecture

Network Security

TLS 1.3IP WhitelistingDDoS Protection

Application Security

RBACMFAOAuth 2.0SSO

Data Security

AES-256SHA-256HSM Keys

Defense-in-depth: 3 layers, zero trust, every request verified

AES-256Encryption Standard

TLS 1.3Data in Transit

7-YearAudit Trail Retention

AnnualPenetration Testing

The Challenge

Financial Data Security Cannot Be an Afterthought

Most institutional data workflows were never designed with security as a requirement. FyleHub was.

Security Afterthought

✗Sensitive data sent over email and FTP with no encryption
✗No audit trail of who accessed what data and when
✗Compliance is a manual spreadsheet exercise before every audit
✗Credentials shared in plaintext over email and Slack

FyleHub Security

Data encrypted everywhere — AES-256 at rest, TLS 1.3 in transit
Immutable audit trail logging every access, change, and delivery
Enterprise-grade security with annual third-party audits
Zero-trust access controls with RBAC, MFA, and IP whitelisting

How It Works

Security Embedded in Every Layer

Encrypt

Data Encrypted at Every Stage

FyleHub enforces encryption at every stage of the data lifecycle. Data is encrypted with AES-256 when stored, TLS 1.3 when moving between systems, and re-encrypted before delivery to downstream consumers. Encryption keys are managed in a hardware security module (HSM) and never stored alongside the data they protect.

AES-256 encryption at rest with HSM key management
TLS 1.3 enforced for all connections — no fallback
Certificate pinning for high-security configurations

Encryption Flow

Raw Data Ingested

AES-256 at RestHSM-managed keys

TLS 1.3 in TransitNo downgrade allowed

Encrypted DeliveryEnd-to-end verified

Role-Based Permissions Matrix

Role	Read	Write	Delete	Export
Admin
Manager
Analyst
Auditor

Permissions enforced at API + UI layers

Control

Zero-Trust Access Controls

Define granular access policies by user role, data source, data type, and operation. Every request is authenticated and authorized — no implicit trust. MFA is required for all accounts. SSO integrates with your identity provider. IP whitelisting restricts access to approved networks.

Role-based access control with per-resource granularity
MFA required — TOTP, FIDO2/WebAuthn, SSO supported
IP whitelisting and session management

Audit

Immutable Audit Trail for Every Action

Every operation generates a tamper-proof log entry — data ingestion, transformation, delivery, API access, user login, permission change, and configuration edit. The log cannot be modified or deleted, even by FyleHub administrators. Retained for a minimum of seven years.

Immutable, append-only audit log architecture
7-year minimum retention for compliance
Queryable via API and dashboard — instant audit evidence

Audit Log

Immutable — 7yr Retention

TimeUserActionResourceIP

09:41:12j.chenREADpositions.csv10.0.4.12

09:41:08m.patelEXPORTbalances_q410.0.4.15

09:40:55systemINGESTtxn_2026022310.0.1.1

09:40:31a.wongLOGINdashboard10.0.4.22

09:40:12j.chenUPDATEconfig/sftp10.0.4.12

09:39:58systemDELIVERrpt_daily10.0.1.1

2,847,391 total entries · 0 deletions · 0 modifications

Security Capabilities

Enterprise Security. Every Detail Covered.

FyleHub's security controls are built into the architecture from the ground up. Every capability listed here is active by default — not an add-on, not an upgrade tier.

AES-256TLS 1.3RBACMFAIP WhitelistingAudit TrailPenetration TestedZero-Trust

Spec	Detail
Encryption	AES-256 at rest, TLS 1.3 in transit — always enforced
Encryption at Rest	AES-256 with HSM-managed keys
Encryption in Transit	TLS 1.3 enforced, no downgrade
Access Control	RBAC, MFA, SSO, IP Whitelisting
Audit Retention	Immutable, 7-year minimum retention
Pen Testing	Annual third-party penetration testing
Compliance	GDPR, SEC 17a-4, FINRA, ERISA, ISO 27001
Data Residency	US, EU, or UK — client-configurable

“Our information security team put FyleHub through a rigorous review before we approved the implementation — security documentation, penetration testing results, architecture review. FyleHub was the only vendor that passed our InfoSec checklist without exceptions.”

— Chief Information Security Officer, $22B Pension Fund

Zero

Security Breaches Since 2017

100%

InfoSec Reviews Passed

< 24 hrs

Vulnerability Patch SLA

Frequently Asked Questions

QHow is data encrypted at rest and in transit?

All data stored in FyleHub is encrypted at rest using 256-bit AES encryption with keys managed in a hardware security module (HSM). All data in transit — including API calls, SFTP connections, webhook deliveries, and database writes — is encrypted with TLS 1.3. There is no mechanism for unencrypted data transfer within the FyleHub platform.

QHow do audit trails work in FyleHub?

FyleHub maintains an immutable audit log of every operation performed on every data record — ingestion, transformation step, quality check, delivery, access via API, user login, permission change, and configuration edit. Each log entry records the operation type, actor (system or user), timestamp, source, destination, and outcome. Audit logs cannot be modified or deleted and are retained for a minimum of seven years.

QHow does FyleHub handle GDPR and data residency requirements?

FyleHub supports data residency configuration — clients can specify that their data remains within a specific geographic region (US, EU, or UK). For clients subject to GDPR, FyleHub acts as a data processor and provides the necessary data processing addendum (DPA). Our privacy and compliance team can advise on specific regulatory requirements during implementation.

Related Platform Features

Data AggregationAutomated ingestion Data TransformationNormalize and label data Data DistributionDeliver clean data API Integrations500+ connectors Real-Time FeedsBeyond T+1 batch PlatformFull overview

Enterprise Security

Request FyleHub Security Documentation

Walk through FyleHub's security architecture with our team. We will answer your specific security, compliance, and data governance questions in detail.

Book a Demo →View Security Details

No commitment required · NDA available