Trust, Security & Privacy

Trust, security, and privacy are fundamental to everything we do at Sernova.

Trust Centre

The Sernova Trust Centre provides a secure repository of key documents for clients and prospects. Access compliance certificates, security controls, and FAQs, ensuring you have the information you need.

Governance

Sernova’s Security and Privacy team establishes and enforces rigorous security policies and controls. We continuously monitor compliance and undergo regular third-party audits to validate our security framework.

Our policies are founded on these core principles:

Access is restricted to individuals with a legitimate business need, adhering to the principle of least privilege.

Sernova implements layered security controls according to the principle of defence-in-depth.

We apply security controls consistently across the enterprise.

Sernova implements controls iteratively, continuously improving their effectiveness, auditability, and efficiency.

Security and Compliance

Sernova maintains SOC 1 Type II and SOC 2 Type II attestation and is ISO 27001 certified. View our SOC 1 and SOC 2 Type II reports and ISO 27001 certificate in the Trust Centre

Data Protection

Data at Rest

Sernova encrypts all datastores containing customer data, including storage accounts, at rest. Sensitive data collections and tables are further protected with row-level encryption. This multi-layered approach ensures data is encrypted before reaching the database, preventing unauthorised access even with physical or logical access to the database itself.

Data in Transit

Our security policies mandate TLS 1.2 or higher for all data transmitted over potentially insecure networks. We maximise the security of data in transit with features such as HTTP Strict Transport Security (HSTS). Azure manages server TLS keys and certificates, deployed via Application Load Balancers.

Secret Management

Sernova manages encryption keys using Azure Key Vaults. Key Vaults store key material in Hardware Security Modules (HSMs), preventing direct access by any individual—including Microsoft and Sernova employees. These HSM-protected keys are used for encryption and decryption via Azure APIs.

Application secrets are encrypted and securely stored in Key Vaults with strictly limited access.

Product Security

Vulnerability Scanning

Sernova requires vulnerability scanning at key stages of our Secure Development.

Lifecycle (SDLC):

  • Static analysis (SAST) testing of code during pull requests and on an ongoing basis;
  • Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain;
  • Malicious dependency scanning to prevent the introduction of malware into our software supply chain;
  • Dynamic analysis (DAST) of running applications;
  • Network vulnerability scanning on a periodic basis;
  • External attack surface management (EASM) continuously running to discover new external-facing assets.

Penetration Testing

We commission an independent penetration testing firm at least annually. Penetration testing reports are available upon request.

Enterprise Security

Endpoint Protection

Sernova centrally manages all corporate devices, equipping them with mobile device management (MDM) software and anti-malware protection. Endpoint security alerts are monitored 24/7/365. MDM software enforces secure endpoint configurations, including disk encryption, screen lock settings, and software updates.

Identity and Access Management

We use Azure AD to secure our identity and access management. We enforce the use of two-factor authentication and modern authentication methods.

Our employees are granted access to applications based on their role and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.

Secure Remote Access

Sernova secures remote access to internal resources using Azure Virtual Desktop, a modern platform built on Azure. We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet.

Vendor Security

We employ a risk-based approach to vendor security. 
Factors influencing a vendor’s inherent risk rating include:

  • Access to customer and corporate data;
  • Integration with production environments;
  • Potential damage to the Sernova brand.

Once the inherent risk rating is determined, we evaluate the vendor’s security to determine a residual risk rating and an approval decision.

Security Education

Sernova provides comprehensive security training to all employees upon onboarding and annually. All new employees also attend a mandatory live onboarding session focused on key security principles. New engineers attend an additional mandatory session on secure coding principles and practices.

Our security team shares regular threat briefings with employees, highlighting important security and safety-related updates that require attention or action.

Data Privacy & Responsible Disclosure

Data privacy and responsible disclosure are top priorities at Sernova. We are committed to being trustworthy stewards of all sensitive data.

Regulatory Compliance

We continuously evaluate updates to regulatory and emerging frameworks to evolve our security program.

Responsible Disclosure

To report a security concern, please visit our Responsible Disclosure page.

Sernova Financial is the future of your post-trade requirements:

Specialise. Scale. Streamline.