Banking-grade security. Swiss-style discretion.
How we engineer and audit the software that powers 150+ private banks and wealth managers worldwide.
ISO/IEC 27001:2022 certified by SGS (UKAS-accredited), valid through October 2027. SpeciTec ships software that runs inside your environment — on-premise or in the cloud tenant you operate. Customer banking data never transits SpeciTec infrastructure. This page summarises the controls we engineer into the product and the corporate ISMS that governs how we build it. Reach out for our latest evidence pack — pen-test summaries, secure-deployment guides, business-continuity plans and customer-specific assurances on request.
Our framework
Four commitments, every release.
Security
Defence in depth from code commit to release: signed builds, mandatory peer review, encrypted data flows by default, segregated build environments, least-privilege access to source and pipelines.
Privacy
Customer banking data never leaves your environment. The software is engineered for data minimisation, jurisdiction-aware processing and Swiss-grade discretion — by default, SpeciTec personnel have no access to your production data.
Compliance
Designed against the regulations our clients answer to — FINMA, CSSF, MAS, DFSA, BCBS — and the cross-cutting frameworks (GDPR, ISO 27001, SOC 2) that map control evidence across them.
Resilience
Reference architectures support active-active multi-region deployments. Disaster-recovery procedures, documented incident response and BCP playbooks are rehearsed on a published cadence — not a binder on a shelf.
Featured certificate
ISO/IEC 27001:2022
Information security management system. The umbrella under which the rest of the controls below are governed and audited.
- Issuer
- SGS United Kingdom Ltd
- Reference CH24/00000088
- Validity
- 7 October 2024 — 7 October 2027
- Annual surveillance audits.
Scope
ISMS covering the SpeciTec Geneva site providing financial software development and edition services. Applies to every SpeciTec employee. No exclusions on Annex A controls. (Statement of Applicability v1.0, 27 May 2024.)
- UKAS Management Systems
- IAF MLA
Open certificateFrameworks
What we map our controls against.
Most procurement teams ask the same questions, framed against the same set of standards. Here is where we sit on each. Status reflects a current attestation we can share, an alignment we can demonstrate against the control matrix, or a target attestation in flight.
ISO/IEC 27001:2022
CertifiedInformation security management system. The umbrella under which the rest of the controls below are governed and audited.
Certified by SGS — surveillance audits annually, recertification due before October 2027.
ISO/IEC 42001:2023
In progressAI management system. Governs how we design, deploy and supervise AI features across the SpeciTec platform — model lifecycle, data governance, human oversight and transparency.
Certification process under way. Extends our 27001 governance to AI-specific controls; targeting attestation in 2026.
SOC 2 Type II
In progressSecurity, Availability, Confidentiality. The de-facto US/global vendor-risk reference for SaaS providers serving regulated customers.
Observation window underway. Bridge letter available on request.
GDPR & nFADP (Swiss)
CertifiedEU General Data Protection Regulation and the revised Swiss Federal Act on Data Protection. Both apply across our delivery footprint.
Article 28 DPA available on request. Standard Contractual Clauses for cross-border transfers.
FINMA Circular 2018/3
AlignedSwiss outsourcing for banks and insurers. Defines the supervisor's expectations on critical-function delegation.
FINMA-aligned outsourcing schedule available for client legal review.
CSSF Circular 22/806
AlignedLuxembourg ICT and security risk management — supervises outsourcing arrangements for the financial sector.
MAS TRMG
AlignedSingapore Monetary Authority's Technology Risk Management Guidelines.
PCI DSS
AlignedPayment Card Industry Data Security Standard. We do not store, process or transmit primary account numbers; cardholder workflows are tokenised at the bank tier.
Scope-limiting attestation available on request.
Status is updated whenever a control state changes. Customers under signed NDA receive direct visibility into in-flight attestations and remediation plans.
Technical controls
What we engineer into the product.
Encryption
- TLS 1.2+ enforced for every external connection by default; TLS 1.3 supported. HSTS templates ship with the reference deployment.
- AES-256-GCM at rest for every database, object store and backup, including offline media — using the keys you provide.
- Per-tenant key derivation. Customer-Managed Keys (CMK) and Bring-Your-Own-Key (BYOK) integrate with AWS KMS, Azure Key Vault or your on-prem HSM. Custody stays with you.
- Field-level encryption for designated PII and credentials, with envelope keys you control and rotate.
Identity & access
- SAML 2.0 SSO, OIDC and SCIM 2.0 for every user-facing surface — federated to your IdP.
- Granular RBAC mapped 1:1 to your operating model; segregation of duties enforced at the IAM layer, not by convention.
- MFA enforcement is configurable per role, with hardware-key support for privileged operators.
- SpeciTec personnel have no standing access to your production environment. Any support engagement is opt-in, time-bounded and fully audited at your IdP.
Software development lifecycle
- Mandatory peer review on every change. No direct pushes to release branches.
- Static application security testing (SAST), software composition analysis (SCA) and secret scanning gate every pull request.
- Signed container images and SLSA-style provenance metadata. Build pipelines run in isolated, ephemeral runners.
- Annual independent penetration testing of the product, plus targeted re-tests on every major release.
Deployment & infrastructure
- Reference Kubernetes manifests and Terraform modules ship with sane defaults: default-deny egress, private VPC peering, hardened container images, no SSH.
- Hardening guides cover Azure, AWS and on-premise targets; CIS-benchmarked baselines are part of the deployment kit.
- Web application firewall and DDoS guidance is provided per cloud target — your operations team owns the runtime.
- Reference architecture supports air-gapped operation when regulatory or political constraints require it.
Logging & monitoring
- The platform emits a structured, immutable audit log for every privileged action — your operations team retains and rotates it.
- Security events stream to your SIEM via webhook, syslog or object-store drop. SpeciTec does not operate a shared SIEM that holds your data.
- Anomaly detection signals (auth, privilege escalation, data-egress) are surfaced for your monitoring stack to consume.
- Detailed, machine-readable telemetry contracts are published so your SOC integrates the platform alongside the rest of your estate.
Resilience
- Reference architectures support active-active multi-region deployments. Engineered RTO target: 4 hours. Engineered RPO target: 15 minutes — when deployed per the reference architecture.
- Disaster-recovery runbooks ship with the product. Your operations team owns the execution; we provide drill scripts and acceptance tests.
- Documented incident response: severity tiers, customer-notification windows and post-mortem cadence apply to issues in our software, not to your runtime.
- Business continuity for SpeciTec the company (engineering, support, customer success) is rehearsed on a published cadence and audited under our ISO 27001 ISMS.
Deployment topology
Your data, your infrastructure.
SpeciTec ships software that the bank deploys in its own environment. There is no SpeciTec-operated region, no managed-cloud tenant, no shared database. The patterns below summarise the deployment topologies we support and the regulatory contexts where each is most often chosen.
| Region | Locations | Typical use case |
|---|---|---|
| On-premise | Your data centre, your hardware, your network | Default for tier-1 banks with hard sovereignty constraints (FINMA, MAS, DFSA) and for institutions running their own private banking core. |
| Customer-managed cloud — Azure | Microsoft Azure, region of your choice | Most common pattern in Switzerland, Luxembourg and the EU. SpeciTec provides reference Terraform / AKS manifests; your cloud team operates the tenant. |
| Customer-managed cloud — AWS | Amazon Web Services, region of your choice | Frequent in APAC and the Americas. SpeciTec provides reference Terraform / EKS manifests; your cloud team operates the tenant. |
| Air-gapped | Isolated network, no internet egress | Available for regulated environments where no cloud connectivity is permitted (sanctioned-jurisdiction operations, defence-adjacent customers). |
| Hybrid | Mixed on-premise + customer cloud | Common during multi-year core-banking migrations: legacy systems remain on-prem while newer modules run in the bank's cloud, integrated via SpeciTec reference patterns. |
Corporate vendors
Vendors used by SpeciTec — not by your platform.
SpeciTec does not host your banking data, so we don't engage sub-processors to handle it. The vendors below support SpeciTec's own corporate operations — engineering, source control, customer support and marketing. None receive customer production data. We disclose the list for transparency and update it whenever it changes.
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| Microsoft 365 | Corporate email, document collaboration and meeting tooling for SpeciTec employees. | EU (Switzerland & Ireland datacentres) | View |
| Azure DevOps Server (on-premise) | Source control, CI/CD and release management for SpeciTec's product code. Self-hosted inside the Geneva ISMS perimeter; no SpeciTec source code lives in a public cloud. | Switzerland (SpeciTec-operated) | On request |
| Atlassian (Jira, Confluence) | Engineering tracking, release notes and internal documentation. | EU (Frankfurt) | View |
| OpenAI ChatGPT Enterprise | Engineering and content productivity for SpeciTec employees. Enterprise tenant: data is not used for model training and is governed by an Article 28 DPA. | EU data residency (enterprise tenant) | View |
| Anthropic Claude Enterprise | Engineering and content productivity for SpeciTec employees. Enterprise tenant: data is not used for model training and is governed by an Article 28 DPA. | EU data residency (enterprise tenant) | View |
| Vercel Enterprise | Edge delivery of SpeciTec's marketing surfaces (specitec.com). No customer banking data flows here. | Global edge | View |
| VTX Telecom (Switzerland) | Corporate connectivity, on-premise hosting and managed network for SpeciTec's Geneva facility. Switzerland-domiciled, FINMA-aware operator. | Switzerland | View |
Cloud-hosting vendors (AWS, Azure, GCP) used to appear on this list; they were removed because SpeciTec does not operate a managed runtime for customer banking data. When the bank chooses its own cloud target, the contract for that runtime is between the bank and the cloud provider — SpeciTec is not a sub-processor of that data.
Vulnerability management
Pen-tested. Patched. Proven.
We run a continuous programme rather than an annual ritual. Independent testers exercise the platform every twelve months across the OWASP ASVS Level 2 control set, with targeted re-tests on every major release. Internal teams maintain rolling SAST, DCA and SBOM hygiene.
12 mo
Independent penetration test cadence
24/7
Security monitoring with on-call rotation
< 30 d
Median time to patch high-severity findings
100 %
Pull requests gated by SAST + SCA + secret scanning
Coordinated disclosure
Found something? We want to hear from you.
Researchers acting in good faith are welcomed. We commit to acknowledging your report within 72 hours, providing status updates every 14 days, and coordinating public disclosure no later than 90 days after a fix is shipped. We do not pursue legal action against researchers who follow the process below.
FAQ
Procurement & risk teams ask
Need the full evidence pack?
Pen-test summaries, sub-processor agreements, BCP playbooks, ISO control mappings and SOC 2 readiness — all available under signed NDA.
