Belvo_Logo_color_2x

Belvo Earns ISO 27001 Certification, Grows Rapidly Using AWS Security Services

2022

Operating in the highly regulated financial services industry, financial technology (fintech) startup Belvo needed an ISO 27001 certification to prove compliance and open doors to new and larger customers. By using Amazon Web Services (AWS) to automate security and compliance processes, Belvo was able to certify the entire company in 6 months. Earning this certification helped the company grow its customer base five times over and increase its API call volume by a factor of 10.

Giuseppe Ciotta
kr_quotemark

The scalability of AWS services means that we have never found ourselves in a situation where we couldn’t grow at will.”

Giuseppe Ciotta
Vice President of Engineering, Belvo

Innovating Fintech Options for Latin American Consumers

Financial services businesses have historically relied on information obtained using manual processes that are susceptible to human error and fraud. Belvo’s founders saw an opportunity to replace manual processes and improve accuracy. Founded in 2019 and with offices in Mexico, Brazil, and Spain, Belvo offers an open-finance API platform for Latin America. It provides infrastructure and data processing services to fintech companies and financial institutions, including access to financial data from banks, tax authorities, and gig economy companies, as well as data enrichment solutions.
 
The company began its life in Y Combinator, a startup accelerator and seed funding program. One benefit of that program was access to AWS Activate, which provides startups with a host of benefits, including AWS credits, AWS support plan credits, and architecture guidance. “Belvo was able to deploy from the beginning and scale to a substantial size using AWS,” says Giuseppe Ciotta, vice president of engineering at Belvo. As the company matured, it turned to automation using services, such as AWS Control Tower, which provides the easiest way to set up and govern a secure, multiaccount AWS environment. At the same time, Belvo started using AWS Trusted Advisor, which evaluates customer accounts and identifies ways to optimize customers’ AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. Using these two solutions, the company is able to follow AWS best practices for architecture, security, performance, cost optimization, and cloud governance. 
 
In early 2021, Belvo started focusing on larger clients and regulated financial entities, which normally require strict adherence to information security best practices and compliance programs. “When we started talking with larger clients, it became clear that we needed to show credentials certified by a trusted third party,” Ciotta says. “We are way more attractive as a vendor if we are able to comply with these vendor security standards.”

Adding Automation to Security and Compliance

The ISO/IEC 27001:2013 certification is internationally recognized as the benchmark for information security management best practices and comprehensive security controls. Using AWS security services, Belvo began the certification process in March 2021 and concluded it in September 2021. This certification widened Belvo’s sales pipeline; gave it access to larger organizations, regulated financial institutions and new markets; and made vendor screening more efficient for its clients, saving time and money for everyone involved. The company uses certified AWS services, so it can show prospective clients that its solution provider facilitates compliance. Plus, it can expand into new markets with ease using AWS.

Maintaining compliance as the company grows is also important. “You want to be compliant every day, not just once a year when an auditor looks at a snapshot of the company,” Ciotta says. “We built in automation so that the system performs all the security checks required to comply with the ISO 27001 standard every day.”

AWS offers a wide variety of security-related tools and resources, and Belvo uses many of them to maintain its compliance and security posture. To manage these tools, Belvo uses AWS Config, which lets companies assess, audit, and evaluate the configurations of their AWS resources and automatically evaluates recorded configurations against desired configurations. The company pairs that with Amazon Inspector—an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure—to gain insight into its security posture.

As part of its suite of security services, Belvo also relies on Amazon GuardDuty, a threat detection service that continuously monitors customers’ AWS accounts and workloads for malicious activity. To control application access, it uses AWS Key Management Service (AWS KMS), which makes it easy for customers to create and manage cryptographic keys and control their use. And to help it make sure that keys and credentials stay safe, Belvo uses AWS Secrets Manager, which helps protect secrets needed to access applications, services, and IT resources.

“We started using AWS Config, AWS KMS, Amazon Inspector, and all these services, and they essentially gave us continual monitoring of our compliance and security posture,” Ciotta says. “That’s how we tackled our main challenge—and we got it done in fewer than two quarters; we certified the whole company.”

Emphasizing automation not only helps Belvo maintain security but also frees up time for Belvo’s engineers to focus on higher-value tasks. That’s also why the company prioritizes managed services. For example, Belvo uses Amazon Relational Database Service (Amazon RDS), which makes it easy to set up, operate, and scale a relational database in the cloud. “Using managed services, we can focus on our differential value, which is financial innovation, business processes, and application logic, not maintaining a database,” Ciotta says.

Achieving Exponential Growth

Since its 2019 founding, Belvo has multiplied its customer base by five, and in the last 6 months alone, the company has seen an increase in monthly API call volume by a factor of 10. The company has also grown from 20 employees to 110 employees, and it expects to sustain this growth moving forward.

In the future, the company plans to obtain additional certifications and grow its service even further. The Belvo team is investigating the AWS Architecture Center—which provides reference architecture diagrams, vetted architecture solutions, and more. “The scalability of AWS services means that we have never found ourselves in a situation where we couldn’t grow at will. Elasticity is a major factor for a company like ours that is growing very fast.”


About Belvo

Belvo is a leading open-finance API platform in Latin America that helps fintechs and innovative financial institutions access and interpret their users' financial data to create more modern, accessible, and inclusive products.

Benefits of AWS

  • Earned an ISO 27001 certification in only 6 months
  • Multiplied its customer base by a factor of five
  • Increased its API call volume by a factor of 10
  • Grew employee base from 20 to 110
  • Freed up staff to focus on innovation
  • Improved security

 


AWS Services Used

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Learn more »

AWS Trusted Advisor

AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.

Learn more »

AWS Key Management Service (AWS KMS)

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

Learn more »

Amazon Inspector

Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.

Learn more »


Get Started

Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.