Security and Compliance

Secure, compliant collaboration & workflow solutions

Uncompromising data security & ownership

Symphony’s cloud-based solutions offer encryption, on-premise key ownership, and enterprise-class admin control across finance, insurance and corporate use cases.

Data protection and integrity is part of our core with real-time monitoring, surveillance and data loss protection capabilities that meet the stringent requirements of financial, insurance and enterprise firms. Add to that our industry-leading SLAs and transparency and it becomes clear why our clients choose Symphony to meet their compliance requirements.

Symphony is trusted across financial services

Logo: BNP Paribas
Logo: Citi
Logo: Goldman Sachs
Logo: HSBC
Logo: JP Morgan Chase
Logo: Societe Generale
Logo: Wells Fargo

Security by Design

Security is integral to Symphony’s DNA. Data is protected using safeguards such as zero-knowledge encryption of data and access control mechanisms. Fundamental features like key-expiry management and key-rotations are standard features.

Data Protection

In addition to industry security standards, Symphony provides varying degrees of data privacy and encryption. For example, our core messaging platform offers end-to-end encryption, while Cloud9 Trader Voice offers the option of client-specific application encryption keys.

Access Control

Designed for the financial industry, ensuring that any organization in the Symphony platform can organize and provision users as needed. Specific roles like compliance officers and compliance groups are designed to solve challenges associated with large and complex compliance setups.

Independent Pen Test

Annually, Symphony commissions an independent, third-party penetration test of each product. Findings are prioritized by severity and remediated per our established vulnerability management SLAs.

Secure Development

Threat modeling and design reviews are performed for new products and features. Source code is continuously scanned for vulnerabilities, with findings prioritized and remediated per our established vulnerability management SLAs.

Governance and Compliance

Our products are not only built with highest cryptographic protection, but they are specifically designed to comply with regulatory controls, information barriers, auditability and data archiving.

Surveillance & Auditing

The core messaging platform allows clients to monitor all user traffic, providing certain classes of users compliance monitoring via a client-controlled virtual compliance monitor participating in each communication channel. On Cloud9 call logs and recordings are available for compliance archival purposes. Admin personnel can review both call data based on the internal bank processes.

To meet content retention and passive compliance requirements, Symphony supports the export of Symphony content via an optional on-premises component. Request more details

Geographic-based Deployments

Symphony supports multiple data location deployment to best match the different regulatory rules regarding client data residency (e.g. GDPR).

Internal & External Communication Controls

Trusted, client-curated directory and external communication controls offer the best in-class solution to streamline external communications and workflows in a secured way. Compliance and data protection are at the heart of Symphony’s external communication protocols, limiting risks associated with data breaches and unauthorized access to sensitive data.

Data Loss Prevention (DLP)

Support for real-time parsing of Symphony messages and file attachments, data loss policy creation, and blocking content from entering our ecosystem. Apply your DLP policies to messages in real time for internal and external conversations via expression filters.


Symphony’s products support compliance requirements by integrating with various third-party archival solutions for long term retention of message data or call recordings.

Operational Management

A fundamental principle that has guided the platform design is to maintain a high level of availability and resiliency for the overall Symphony platform. Industry-leading SLAs reflect our expertise and accountability.

Resiliency by Design

Resilience is built into the system at multiple levels. Symphony’s architecture is resilient at the component-level against a global availability zone failure, and all data storage solutions work in high availability mode to maintain data replication across different regions.

Automated Operations

All changes applied to the platform are done following latest operation best practices via infrastructure as code. It guarantees a high degree of agility to seamlessly introduce new features and the possibility to always stay in control of any change happening in the platform.

Industry-leading Service-Level Agreements (SLAs)

Symphony offers citizen development applications. Thanks to design and site reliability engineering (SRE) best practices, automation of the processes, and resiliency of the platform, we offer SLAs for Availability and Mean Time to Recovery (MTTR). Request more details

Corporate Responsibility Certifications

Standards are implemented and controls are designed to meet security, availability, and confidentiality trust services criteria. For example, each year, Symphony undergoes a SOC 2 Type II audit by a third party, and the reports are available for distribution to customers.

SOC 2 Type II

Symphony undergoes SOC 2 audits and third-party penetration tests annually to validate the operation of the control environment and to identify any potential vulnerabilities in the control environment systems. Additionally, security reviews are conducted internally on a continuous basis. Request more details.

Data Privacy Framework

Symphony is committed to assisting customers in meeting their compliance obligations with respect to transfers of personal data. We are certified to the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework.

Environmental, Social, and Corporate Governance (ESG)

Symphony is a member of the UN Global Compact and has publicly committed to adhere to the organization’s Ten Principles, as well as the UN Sustainable Development Goals (SDGs).

Vendor Security Reviews

Symphony evaluates all new vendors to ensure strict standards regarding security practices, data protection and confidentiality as part of our vendor code of conduct.

Data Privacy Framework (DPF) Program

The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S.

Association of International Certified Professional Accountants

SOC 2 Type II Report covering security, confidentiality and availability trust principles.

SOC 3 security, confidentiality and availability trust principles.

Financial Services Information Sharing and Analysis Center

Financial services information sharing and analysis center affiliate member.

General Data Protection Regulation

View our GDPR Whitepaper for information about Symphony’s strategy for complying with the EU General Data Protection Regulation.

For questions or more info please contact

Get started with Symphony

We're happy to answer questions and get you acquainted with Symphony and our family of products including Cloud9, StreetLinx and Amenity Analytics.