SDK.finance confirms that its core financial platform is built to support full GDPR compliance out of the box.
This document summarises the privacy and security controls available within the SDK.finance platform to support compliance with the General Data Protection Regulation (GDPR) for businesses building payment solutions, digital wallets, or lending products on top of SDK.finance.
While each customer remains responsible for configuring the platform in line with their own legal and operational requirements, SDK.finance provides a strong foundation of technical and organisational measures that enable lawful, transparent, and secure processing of personal data.
Commitment to Data Protection
SDK.finance is built with privacy and security as core design principles. The platform incorporates controls that help ensure personal data is processed in a manner consistent with GDPR expectations, from initial collection through to storage, access, reporting, and deletion.
Key GDPR‑Supporting Controls
-
Governance & Accountability
- Documentation and transparency measures support customer ROPA and DPIA activities.
- Incident‑response and breach‑notification procedures are established and tested.
- Codebase documentation and data‑flow information are maintained and kept up to date.
-
Data Minimisation & Purpose Limitation
- Optional data fields can be disabled or limited to reduce unnecessary data collection.
- Sensitive data is masked or removed from analytics and reporting functions.
- Test and sandbox environments contain no real personal data.
- Logical separation of customer environments prevents cross‑tenant exposure.
- Pseudonymisation options support analysis and testing without using identifiable data.
-
Data Subject Rights Enablement
- Personal data can be searched and retrieved efficiently to support DSAR responses.
- Data can be exported in structured, machine‑readable formats (performed manually).
- Authorised users can rectify or update data where appropriate.
- Secure erasure is supported when legally permissible. Each customer defines its own retention periods and related policies.
- Deletion or anonymisation routines are executed according to customer configuration.
- Logs are available to demonstrate DSAR handling and timelines.
-
Access Control & Identity Management
- Role‑based access control (RBAC) is implemented with granular, configurable permissions.
- Multi‑factor authentication (MFA) is supported.
- Session‑management controls (timeouts, device limits) are in place.
- All privileged and administrative actions are logged and monitored.
- Access logs are tamper‑resistant and retained in line with defined policies.
-
Security of Processing
- Encryption in transit (TLS 1.2+) is enforced by default.
- Encryption at rest is applied to stored data.
- Encryption keys are securely managed and rotated.
- APIs are protected through authentication, rate limiting, and monitoring.
- Secure coding practices align with OWASP, with automated checks integrated into CI/CD.
- Regular penetration tests are performed.
-
Logging, Monitoring & Auditability
- All access and data‑processing events are logged for security and audit purposes.
- Logs are protected from tampering and retained for a defined period.
- Monitoring tools detect suspicious activity and support incident‑response processes.
-
Privacy by Design & Default
- Default configurations prioritise the most privacy‑protective settings.
- Sensitive data is encrypted or masked, supporting pseudonymisation and minimisation.
- Data is isolated per tenant, with each customer operating its own database.
- Architectural diagrams and data flow diagrams documentation are available
- All changes are documented and version‑controlled.
