Security and Privacy at BridgeFT

Security is job-zero at BridgeFT: it’s a core function of everything we do from data ingestion to delivery.

Our approach to security is built on the following foundational principles:

1. Least privilege: access is restricted to individuals and systems that require it and no more. We use a combination of regular reviews and automated tooling to constantly remove unnecessary access.

2. Defense in depth: a combination of network controls, firewalls, security groups and encryption standards are utilized to stop hijacking or intrusion attempts early.

3. Consistent treatment: no application or process is exempted from security standards. Security controls are applied consistently across the enterprise.

4. Iterative implementation: security and governance require ongoing review, increased posturing and maturation of the effectiveness, auditability and durability of our systems.

Data Protection

We protect and encrypt data at rest, in transit and use cloud-native secrets management to protect application configuration and other sensitive secrets.

Financial Data API

Data at rest

All our datastores use AES-256 bit encryption to protect content. Sensitive records containing potentially personally identifiable information (PII) are masked and tokenized. This means our data is encrypted before being stored so that neither physical or logical access to any storage layer is enough to obtain plain-text sensitive information.

Icon_cloud native_orange

Data in transit

BridgeFT strictly uses TLS 1.2 or higher everywhere data is transmitted. All client-facing API connections are required to use TLS 1.3. We include HTTP Strict Security Transport Security headers in our API responses to maximize the security of data in transit. All our server-side TLS keys and certificates are managed by AWS Certificate Manager and deployed to Application Load Balancers on AWS.

Icon_Multi-custodial connect_orange

Secret management

Encryption keys are managed by AWS Key Management System (KMS), which stores encryption keys in Hardware Security Modules to prevent direct access by individuals (including employees of both Amazon and BridgeFT). Application secrets are stored in AWS Secrets Manager and Parameter Store with strictly limited access.

Product Security

We conduct vulnerability scanning and automated intrusion detection scans on a quarterly basis. Vulnerability scanning is required at the key stages of our Secure/Software Development Lifecycle (SDLC):


  • Static analysis of code during pull requests
  • Software composition analysis to identify known vulnerabilities in our software supply chain
  • Malicious dependency scanning to identify and correct known vulnerabilities
  • Network vulnerability scanning
  • External attack surface management to discover and protect new external facing assets

Enterprise Security

Corporate devices and laptops are centrally managed and equipped with anti-malware protection. We use MDM software to enforce secure configuration, such as disk encryption, screen lock and require automated software updates.

We use an AWS-backed VPN client, required to gain access to all cloud environments.

All Bridge employees are required to undergo security awareness training and review and agree to all our policies annually. Our security operations team regularly shares threat briefings with employees to inform the company of potential risks and safety-related updates that require attention or action.

Bridge uses AWS IAM (Identity and Access Management) to provision access to cloud systems and BI tools. We centralize and mandate password management and two-factor authentication to all our IT systems.


Employees are granted access through reviewed tickets and based on the employee’s role.

All vendors are evaluated at the point of adoption and annually, measured in terms of risk based on the following factors:


  • Access to customer and/or corporate data
  • Integration or proximity to production environments
  • Potential damage to Bridge and/or our clients


Decisions around vendors are made only after completion of a risk evaluation.


Data is a first-class priority at Bridge. We strive to be trustworthy stewards of all sensitive data. We maintain a strict privacy policy and are always evaluating regulatory and emerging frameworks to continuously evolve our program.