One of the central challenges companies face when it comes to privacy and compliance is balancing the protection of sensitive data with the utility of that data. You can lock the data down and throw away the key, but that’s not very useful. On the other extreme, you can replicate plaintext sensitive data throughout your systems and services, maximizing utility but significantly hurting your security posture and increasing your compliance scope.
Data is the lifeblood of modern businesses, essential to everything from marketing and sales to security and product design. This puts a huge burden on the people and technologies that control data access, especially access to sensitive customer data like names and dates of birth. In this post, we’ll discuss the advantages and limitations of role based and attribute based approaches to access control, and explore Skyflow’s policy based approach to access control.
Businesses run on data, but managing and transferring data is becoming more complex as governments across the world define data residency requirements that restrict where sensitive PII, as defined by those governments, is stored and processed.
Before you start planning to manage tokens or encryption keys, it’s important to understand the key differences between tokenization and encryption. This post provides an overview of these techniques, and some guidelines on when to use each.
Most traditional tokenization systems fail to account for input data types during token generation, severely limiting support for analytics. Also, the lack of context around sensitive data inputs prevents most tokenization systems from securely managing the detokenization process. Skyflow brings tokenization, encryption, and policy-based governance together to address the limitations of traditional tokenization.
Who should have access to certain sensitive data often depends on dynamic contextual information: A teacher should only be able to access their student’s records and only for the duration that the student has classes with them; a doctor, only their patient’s; or in the simplest case, a user should only have access to their own data. Access control should be dynamic: based on conditional rules encapsulated during API authorization, and enforced based on zero trust principles.
Innovative and savvy companies use multiple payment gateways from multiple payment service providers (PSPs) to improve their user experience, reduce costs, and expand into new markets. In this article, you’ll learn why you shouldn’t rely on a single payment vendor. And more importantly, you’ll learn how to easily support different payment vendors so you can enjoy total flexibility without burdensome complexity.
If you process card-based payments, you know that not every transaction is approved on the first try, and that it helps to cache CVV numbers so you can retry transactions when needed. But PCI DSS forbids storing CVVs. Skyflow’s transient field tokens provide a way to hold CVVs and other types of sensitive data for immediate use, while ensuring that it’s not retained.
Privacy-aware analytics is a challenge for many companies. Sensitive customer data tends to find its way into our analytics pipelines, ending up in our data warehouses and metrics dashboards. In this post, we show through specific use cases how you can reduce compliance scope and improve your privacy posture while still computing analytics important to your business.
If you’re a privacy professional, or you pay attention to the issue of data privacy, you know that the terrain is shifting rapidly. Companies that collect any kind of sensitive data are likely to be subject to several different data privacy laws. This is especially true of fintech companies who need solutions to ease their regulatory compliance burden. Skyflow’s Fintech Data Privacy Vault provides such solutions.
Network tokenization is an innovative technology that replaces payment card data with a network-issued token and unique transaction cryptograms. This represents a vast improvement over the more common approach to protecting transactions with tokenization, known as PCI tokenization or vault tokenization. Network tokenization reduces the potential for fraud, improves the merchant and consumer experience, increases approval rates, and reduces overall transaction costs.
NachoNacho is building the world's first and largest true B2B marketplace for SaaS subscriptions. In this post, we’ll look at why they chose Skyflow to protect sensitive customer data and help inspire customer trust.
By building your products with privacy by design principles, you can accelerate your time to market while retaining customer trust and protecting the privacy of sensitive data.
Skyflow’s new prebuilt connection with PostGrid lets you send checks to customers, companies, and organizations without having sensitive customer PII and automated clearinghouse (ACH) data touch your backend systems.
Hashing is common practice when storing customer passwords and is a natural place for engineers to start when faced with the challenge of protecting their customer’s sensitive personal data. However, hashing has many limitations when it comes to protecting PII and is far from a complete data privacy solution.
When managing your company’s most sensitive data, encryption is a must. To fit your overall data protection strategy, you need a wide range of options for managing your encryption keys so you can generate, store, and rotate them as needed.
There are very few concepts that have undergone such rapid transformation, both in terms of how it’s understood and the level of public awareness, as data privacy. Although the concept is not new, the meteoric growth of personal data collection over the last two decades has completely altered how people, companies, and governments look at privacy.
A data privacy vault is a technology that isolates, secures, and tightly controls access to manage, monitor, and use sensitive data. In this post, I’ll provide a deep dive into how a data privacy vault helps you to ensure the privacy of sensitive data without sacrificing data utility.
If you’re aggregating data from multiple sources into a Snowflake data warehouse, despite your best efforts, you’re likely to end up with sensitive PII in data workloads. In this post, I explain how to use Snowflake’s External Functions with Skyflow’s Data Privacy Vault to de-risk and de-scope data privacy, security, and compliance from your data application infrastructure, so you can leverage the power of Snowflake while protecting PII.
If you’re storing sensitive user data, you’re right to be concerned about the potential for compliance and security risks. One method to secure sensitive data is tokenization. In this post, we break down what every engineer should know about tokenization – what it is, how and when to use it, the use cases it enables, and more.
Today we announced the release of a new MuleSoft Certified Connector for Skyflow on MuleSoft’s Anypoint Exchange and joined the MuleSoft Technology Partner Program. With this connector, MuleSoft customers can leverage Skyflow to ensure data privacy, security, and compliance as they integrate PII data flows with MuleSoft.
Millions of people have been impacted by the exposure of their sensitive data because it can often be found in companies’ log files and database backups. Read on to learn the best practices for keeping sensitive data out of your logs.
Businesses run on data and they’re collecting more and more all the time. But not all data is equally important. Some data, like sensitive user data, requires better protection than others. Some data is special.
Skyflow recently partnered with DarkReading Research to learn how developers view and interact with current data security challenges.
Today we announced our new partnership with Plaid to help developers protect sensitive data and build financial data privacy into their applications.
Data privacy, security, and compliance are no longer only the concern of the security team. Because every person at your company interacts with sensitive data, security has become an “everyone problem”. I recently spoke with Tom Field of ISMG about this shift in priorities.
As Skyflow’s Chief Privacy Officer, I’m excited to help drive a “shift left” in proactive data privacy, making privacy by design easier than ever for companies of all sizes.
We love developers and want them to love using Skyflow. That’s why we’re continually looking for ways to incorporate your feedback and reduce friction across our products. In this post, we highlight a few recent improvements, including our new Skyflow Docs site and our intuitive policy expression language.
While the recent Okta security incident did not impact Skyflow or our users, it does present a great opportunity to share our thoughts – and a few reminders – about security practices.
Many workflows only require partial information. You might only need a phone number’s area code or the year from a date of birth to verify a customer’s location or age. But creating a service that can run privacy preserving computation on data that’s only partially decrypted is highly complex. That's why we created over 50 different data types native to the Skyflow Data Privacy Vault: so you can easily make sensitive data safe and useful while preserving privacy.
Do you need to store sensitive data like a social security number? In this post, we’ll go over your options for storing this kind of sensitive data, the pros and cons of each approach, and all the requirements and features you should be aware of before tackling this problem.
This certification demonstrates Skyflow’s continued investment in rigorous controls and processes, following our recent completion of SOC 2 Type 1 compliance certification.
If you process transactions using PCI data and ACH banking data, you might have noticed that the regulations around PCI data management are stringent but equivalent regulations for ACH data are nearly non-existent. In this post, we’ll explain why you should still take extensive measures to protect ACH data.
A strong data privacy posture is as important to your company as good posture is to your back — and both benefit from a thoughtful approach.
If your company has a data analytics pipeline to a data warehouse, you’re right to be concerned about the impact of aggregating customer PII, PHI, and PCI on data privacy and security. In this post we’ll explain how you can de-identify data in a pipeline built on AWS so you can use sensitive data while preserving privacy.
The evolution of our technology stack has been a direct result of creative engineers meeting the needs and demands of their users. However, our technology and product processes are ill-equipped to deal with a new user demand, the demand for privacy. In this post, we explore why existing technology is failing to meet new user demands for privacy and what engineers can do to address this problem.
Committing to a solution always feels better when you get the chance to try it out first with no risk. If you’re interested in Skyflow but are unsure how it will fit into your architecture, Skyflow’s new trial environment and Quickstart experience give you an easy way to try it out.
I left a growing team, path to promotion, massages, and free food as Team Lead and Manager of Developer Relations at Google to join Skyflow. This post explains why I made this decision and why I’m so excited for the future.
Many businesses still approach data privacy as a compliance and risk mitigation problem. Instead of viewing data privacy as an operational challenge, leading companies recognize that data privacy is really a technology and infrastructure challenge.
When you’re racing to get to market, storing your PCI data with a payment processor and offloading compliance to them seems like an easy way to save time. But what are the long term risks?
If your company deals with customer data — personal information, credit or debit card details, and so on — you know that you have an enormous responsibility to your users. Beyond the usual concerns around security breaches and the increasing customer expectations of privacy, new regulations from the Reserve Bank of India (RBI) are forcing companies to reevaluate how they handle their customer data.
For many workflows, you need to send PCI, PHI, or PII data to a third-party service for processing. And you need to do all of this while remaining compliant with stringent regulatory requirements like PCI DSS.
Despite your best attempts at preventing it, you likely find that sensitive data ends up in your data analytics pipelines, creating security, privacy, and compliance risk.
We’re excited to announce today the general availability of Skyflow Fintech Data Privacy Vault for PII and PCI data privacy. Delivered as a simple API with support for card issuance, card acceptance, money movement, customer onboarding, and customer data management, it can serve as the data privacy infrastructure for the most important fintech apps and workflows. Leading fintechs are already using the Fintech Data Privacy Vault to get to market faster while ensuring privacy, security, and compliance for sensitive customer data.
Skyflow is the world’s first data privacy vault delivered as an API. Here’s how zero trust informed our approach to authentication and authorization.
Apple now securely manages your driver licenses in its phone vault. Not only that, they have figured out how to do this while preserving your privacy even when you have to show your proof of driver license to a cop (or any validating entity).
[Earth had] a problem, which was this: most of the people living on it were unhappy for pretty much all of the time. Many solutions were suggested for this problem, but most of these were largely concerned with the movements of small green pieces of paper, which is odd because on the whole it wasn’t the small green pieces of paper that were unhappy. — Hitchhiker's Guide to the Galaxy
We’re excited to announce another major compliance milestone: Skyflow is now SOC 2 Type 1 certified. [EDIT July 11, 2022: Skyflow is now SOC 2 Type 2 certified.]
What is zero trust?
Some of the most difficult challenges that healthtech companies face today involve the handling of highly sensitive PHI data. How can you build an app that ensures data privacy and security but also lets you use PHI data to provide services and drive health outcomes? How can you ensure that data is available only in the right places, used in the right ways, and shared properly with third-party partners? How can you ensure compliance with all the rules and regulations that govern healthcare data?
Securely storing sensitive data is not enough. The real value comes when you can store and use the data securely, both with a privacy-first design. Today, we’re excited to announce Skyflow’s new Governance Engine, a set of platform features (shared across all our data privacy vaults) that will help you get the most value out of your sensitive data while also ensuring it is kept secure and private. We’re rolling it out today for all customers as part of our launch of the new PII Data Privacy Vault.
We’re excited today to announce Skyflow PII Data Privacy Vault. This new vault, delivered via our API, makes it easy for any app or workflow to safely and properly handle highly sensitive personally identifiable information (PII) (i.e., customer data). With Skyflow PII Data Privacy Vault, developers can quickly solve the difficult problems inherent to PII data--including regulatory compliance, data security, data governance, data residency, secure data sharing, and more — freeing them to innovate on features and UX.
Over the last few years we’ve seen a massive increase in the amount of PII data being collected as well as a proliferation of user data regulations. As a result, large enterprises like Google and Netflix have started using proprietary data privacy vaults to manage and secure sensitive data. A new paradigm in the security and compliance world, the data privacy vault combines security tools and best practices with sophisticated access management to provide strict limits on how much sensitive data is shared by internal systems.
Skyflow is one of the 24 fintech companies selected for the program.
In this day and age, data is the key to building amazing apps. Successful businesses rely on insights derived from datasets to serve their customers better, whether it's Starbucks personalizing your drink order (order your usual) or Netflix predicting the likelihood of you liking a movie that just came out (53% match for you!)
Customer data platforms helped us collect all this personal data to help us serve our customers better. Now we need to protect it.
One of the main reasons I joined Skyflow was because I had experienced the privacy-versus-personalization tradeoff first-hand in a prior role at Google.
Today, we’re excited to launch the Skyflow Fintech Data Privacy Vault, a new product designed to help fintech companies quickly build and bring to market, privacy-first fintech applications.
Over the last decade, businesses have significantly increased the amount of sensitive data they collect in order to create personalized customer experiences and unlock new growth opportunities. During this time, numerous high-profile data breaches have shined a light on the outdated data privacy and security practices of most businesses.
Okta surprised a lot of people with the news that they were acquiring Auth0 for $6.5B. Why was Auth0 so successful and why did almost everyone miss their rise?
With the increasing vaccination rates of recent months, we are beginning to see the spread of Covid-19 come under control, bringing hope that the pandemic era may soon come to an end.
I just joined Skyflow to help fintech companies ship faster while protecting customer’s sensitive data.
As consumers continue to adopt e-commerce and e-commerce providers streamline the ecommerce buying process, the systems used to process online card payments become popular targets for hacking and fraud. To combat this, in 2001, the PCI SSC was created. The PCI SSC is a joint venture between Visa, Mastercard, American Express, Discover, and JCB which created the Payment Card Industry Data Security Standard (PCI DSS). This standard sought to require any company that works with payment card information, whether collecting it, storing it, processing it, or transferring it, to take certain actions to protect that data.
Personally Identifiable Information, or PII, is data that can be used to identify an individual. For a user of your product, their PII is the data that they input to identify themselves when creating an account, such as an email address or a phone number.
At Skyflow, our focus is on radically simplifying how companies manage, access, and govern sensitive customer data. In the last 12 months, we have seen the emergence of a new category: the data privacy vault, with Skyflow as its flag bearer.
One of the many tricky things about running a startup in stealth mode is picking the perfect time to say “Hello, world”. Introductions are tough, particularly when you’ve spent two years building a company in secret. However, I’ve been dreaming about writing this blog post since we built our first prototype and I didn’t want to wait any longer, so without further ado, let me introduce myself and share what we’ve been working on.
Snowflake seems like such an obvious winner today with the likes of risk-averse Berkshire Hathaway taking an unprecedented stake in their IPO. But it wasn’t always the case.
We can create a queryable federated Coronavirus health data store that’s locally controlled and managed by providers ensuring privacy of individuals. By solving the problem of data ownership, governance, and privacy, we can truly enable the interoperability we so desperately seek.
Email is at the heart of your online identity. We use it everywhere — to log in to our banks, our health records, and even our social networks. But why do I have to give my email address to all these companies who can then turn around and spam me for life?