What are the Adyen security foundations?

Security foundations at Adyen

As a financial service provider, securing data is a top priority at Adyen and is built into every part of our business. In order to ensure security is at the forefront of everything we do, we’ve created the Adyen Security Foundations. The foundations include important principles to keep our platform and processes secure.

1. Everybody does security

At Adyen, everyone has a role to play when it comes to security. Teams own their own security practices, and we collectively keep our practices up to date with our growing business. Annually, all employees must participate in the annual security refresher training.

2. Defense in depth 

To keep data and systems secure, we layer protection and prevent single points of failure. We do so by combining both technical and non-technical controls.

3. Built to be controlled by Adyen engineers

We own and manage everything about our products and services, from beginning to the end. This gives us full control over everything we do and helps us secure our platform and data. 

4. Independent, available, and redundant infrastructure

Uptime is critical to our customers’ success. By minimizing reliance on third parties, careful monitoring, and building in redundancy and latency in everything we do, we bring minimal risk to the businesses we work with. 

5. Avoiding insecure components

At Adyen, we minimize exposure to risks that are inherent to the usage of specific technologies, vendors and software components. We avoid components that have shown recurring signs of bad security practices, have repeatedly been the cause of breaches, or are widely considered dangerous through rigorous screening.

6. Zero-trust network design

Our network has been segmented on multiple layers following the zero-trust principle. We use a tiered approach of physically isolated networks that are each assigned to a specific purpose, with our payment platform being the highest security tier. Every component in our network is treated as untrusted by default, so components can only communicate with systems they are explicitly allowed to communicate with, and only use services they are explicitly allowed to use.

7. Secure by default

We deploy, configure, and harden every core and supporting component in our platform infrastructure with automation. By doing so, we ensure that each server, network component and other hardware operates in line with security best practices and benchmarks. We use a similar approach to protect our employees’ laptops, which are managed and hardened centrally by our infrastructure engineers.

8. Secure engineering

At Adyen, security is embedded in every phase of our product lifecycle. This allows us to catch flaws at an early stage and substantially reduce risk, workload and the need for excessive security engineering activities.