Data Lifecycle Management

Data Classification

Finastra uses a three-category enterprise data classification scheme to classify structured and unstructured corporate and product data. All stored, shared, transmitted, and processed data is classified as Restricted, Internal Use Only, or Public. Using these classification categories establishes the relative sensitivity of the data. The classification helps Finastra’s Legal, Information Security, Privacy, and Global Risk departments with an accurate understanding of the sensitivity of the data. As a result, it allows the aforementioned departments to meet contractual obligations, apply proper security controls, follow internal rules, and maintain regulatory compliance, while mitigating corporate and client risk.

Data Handling, Labeling, Security Policy

Every dataset that is ingested by the FusionFabric.cloud platform goes through the Data Product Regulatory Review process. Each dataset must be approved for ingestion to the platform and consumption by the end-users as part of this process. Any change in the dataset triggers an incremental data product regulatory review, as applicable.

The data ingestion and consumption pipelines use a secure (confidential and authentic) channel throughout the data flow, from the data source to the consumption point. This applies to both internal and external (connection established to/from outside Finastra) pipelines.

Each dataset is classified and tagged accordingly before it is made available for data engineers/data scientists. The datasets are protected as per the recommended data handling mechanism based on the data classification and the targeted use-case. The following are the approved data handling techniques for use within in the FusionFabric.cloud platform – Minimization, Generalization, Substitution, Tokenization, Date and Number Variance, Hashing, Encryption (including Zero-trust encryption). The implementation of each handling technique is reviewed and approved by the Product and Data Security team.

The requirements on data residency, logging, monitoring, retention, archival, purging and breach notifications are reviewed as part of Finastra’s data product regulatory review processes facilitating the implementation of controls following the relevant regulations, contractual obligations as well as our internal standards.

Data Inventory, Flows

If data migration is required, Financial Institutions need to provide consent to process and store their data in this region before their data is ingested to the FusionFabric.cloud data lake.

Currently, all data managed within the FusionFabric.cloud platform is stored within the United States.

Data Ownership, Stewardship

Finastra has implemented the following roles as part of its data governance processes: + Data Owner + Data Steward + Data Custodian

Data Owner

The Data Owner represents the senior leader that is accountable for the compliance of corporate policies, standards, regulations and contractual agreements pertaining to their respective business function, service or product. The individual is responsible for the safekeeping and access management of their dataset(s).

Data Steward

The Data Steward is a delegate appointed by the Data Owner as the data Subject Matter Expert who is responsible with upkeeping the data management, models and data quality through the execution of data governance practices that ensures compliance with corporate policies, standards, regulations and contractual agreements for their business function, service or product.

Data Custodian

The Data Custodian is responsible with overseeing the applications and IT services ensuring that data-related infrastructure and activities remain intact and available to authorized data users. The role also ensures the sustaining of processes, techniques and other resources as needed to meet the identified business needs related to data under their custody or care.

Operational Resilience

Our ability to achieve operational resilience for our business and the FusionFabric.cloud platform is measured by continuous assessments that identify threats and their business impact. Collectively, our business continuity and disaster recovery strategies are developed to address events, such as natural disasters (earthquakes, hurricanes, pandemics, etc.) and man-made threats (political unrest, terrorism, etc.).

Data Supply Chain Management

Finastra performs due diligence at the outset, implements clear contractual commitments, and undertakes processes for the ongoing monitoring and periodic reviews of Third Party relationships on the suppliers of third party technology and services. Finastra then resells the third party technologies and services to its customers on FusionFabric.cloud.

Data Quality and Integrity

Finastra applies quality gates at the point of ingress for all data. Any datasets not meeting data integrity guidelines are expressly rejected.

Finastra applies security controls to manage consent and access for all datasets. Default-deny, data filtering/masking, role-based access, and audit logs help Finastra manage, provision, and monitor data access within our Platform.

Incident Reporting

Finastra has implemented an incident response standard that includes notification of necessary stakeholders during the incident response life cycle. This includes regular communication with executive leadership and the communications team. Customers are notified of incidents affecting them in accordance with agreed upon service level agreements.

Customers may report security incidents to Finastra using the Support Portal .

Third-Party Agreements (Data Contracts)

The Finastra Third Party Risk Management program applies to all geographies, company-wide to all third parties and employees engaged with Finastra third parties. A third-party relationship is any business arrangement between Finastra and another entity, by contract or otherwise. Third-party relationships include activities that involve outsourced products and services, use of outside consultants, networking arrangements, merchant payment processing services, and services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which Finastra has an ongoing third-party relationship or may have responsibility for the associated records.

Finastra develops and executes contracts that clearly define expectations and responsibilities of potential suppliers, to confirm the contract is enforceable, limits the firm organization liability, and limits disputes about performance. Contracts must specify Finastra’s ability to review the supplier continuing compliance with the terms and expectations of their contracts, for example, the right to audit. When appropriate, contracts should have specific and measurable service level agreements delineated with appropriate penalties or other recourse for not performing to the agreed level. It is necessary that the Procurement process, as defined in the Procurement policy, be followed. It is the responsibility of Procurement and the Legal Department to confirm that the contract terms are delineated and enforceable.

All suppliers are required to follow the Finastra Third Party Conduct Policy which can be found on the Partners Legal Policy Documents page.

This policy includes guidance on how to comply with Finastra’s Code of Conduct, Anti-bribery and Corruption, and Gifts and Entertainment requirements while working with Finastra, its Third Party suppliers, and customers. All third-party suppliers doing business with Finastra must comply with the relevant laws and regulations in the jurisdictions in which they operate.