Financial Services

Your customer data never leaves your infrastructure

Single-tenant deployment in your own VPC. Your Kubernetes cluster, your database, your encryption keys. Datafly has zero access to your data, your credentials, or your infrastructure. Full compliance with SOX, PCI DSS, DORA, and GDPR by architecture, not policy.

Why financial services needs server-side

When your pages handle loan applications, trading interfaces, and account management, client-side vendor tags create risks that server-side delivery eliminates entirely.

Third-party JS has DOM access

Every vendor tag on your loan application page can read form fields, intercept keystrokes, and access session tokens. A compromised or malicious tag has the same access as your own code. Server-side delivery eliminates this attack surface entirely.

Data residency requirements

Financial regulations require customer data to stay within specific jurisdictions. Client-side tags send data directly to vendor servers in unknown locations. Server-side delivery routes all data through your infrastructure first, giving you full control over data flows.

Audit requirements

SOX, PCI DSS, MiFID II, and DORA all require detailed audit trails for data processing. Client-side tags operate outside your audit perimeter. Server-side processing puts every event transformation under your logging, your monitoring, and your compliance controls.

Architecture

Everything inside your VPC

The entire Datafly Signal stack runs inside your infrastructure boundary. Data is processed, stored, and delivered from your cluster. The only outbound connections are to the vendor APIs you configure.

Customer VPC

Datafly Signal

Ingestion, processing, delivery

PostgreSQL

Config, audit, pipeline state

Kafka

Event streaming

Redis

Cache, rate limiting, sessions

Outbound only to configured Vendor APIsEncrypted

Choose your deployment model

Three deployment options to match your security requirements, from full customer control to Datafly-managed isolation.

Recommended

Customer VPC

Deploy Datafly Signal into your own Kubernetes cluster using our Helm charts. You own the infrastructure, the data, and the credentials. Datafly has zero access.

  • Your K8s cluster, your cloud account
  • Helm chart deployment
  • Zero Datafly access to data
  • AWS, GCP, Azure supported

Hybrid

Management plane hosted by Datafly for configuration and monitoring. Data plane runs in your VPC — events are collected, processed, and delivered entirely within your infrastructure.

  • Management UI hosted by Datafly
  • Data plane in your VPC
  • No event data leaves your infrastructure
  • Simplified operations

Datafly-Hosted Isolated

Dedicated Kubernetes namespace managed by Datafly with full tenant isolation. No shared compute, storage, or networking. Suitable when VPC deployment is not required but isolation is.

  • Dedicated namespace per customer
  • No shared infrastructure
  • Managed by Datafly
  • Network policies enforced
PII Protection

Sensitive data never reaches vendor APIs

PII handling is configured at the organisation level and applied to every event before any vendor pipeline processes it. Account numbers are stripped. Emails and phone numbers are SHA-256 hashed. IP addresses are masked. National IDs never leave your infrastructure.

Four PII modes per field: sha256 hash, mask, strip, or pseudonymise. Applied at the Org Data Layer before vendor pipelines see the data.

pipeline/application-started.ymlYAML
# Financial Services PII Pipeline
# Protect sensitive data before vendor delivery

event: Application Started
source: web

org_data_layer:
  schema: finance/application-v1
  pii:
    email: sha256
    phone: sha256
    account_number: strip
    sort_code: strip
    national_id: strip
    ip_address: mask
    date_of_birth: strip
  consent:
    required: [analytics, marketing]
  enrichment:
    - geo_from_ip: country_only

pipelines:
  - vendor: google_analytics_4
    event_name: generate_lead
    mapping:
      currency: properties.currency
      value: properties.estimated_value
      lead_source: properties.channel

  - vendor: meta_conversions_api
    event_name: Lead
    mapping:
      event_id: context.event_id
      value: properties.estimated_value
      currency: properties.currency
      content_name: properties.product_type
Audit & Compliance

Every change. Every field. Every user.

Full audit logging with before/after diffs on every configuration change. Immutable audit trail — no edits, no deletions, even by administrators. Searchable and exportable for compliance reporting.

Compliance Frameworks

SOXFinancial reporting controls and audit requirements
PCI DSSPayment card data protection standards
GDPREU data protection and privacy regulation
DORADigital Operational Resilience Act for financial entities
MiFID IIMarkets in Financial Instruments Directive
Data ResidencyData stays within your jurisdiction and infrastructure
Access Control

Five roles. Least-privilege by default.

Every team member gets exactly the access they need. No more, no less. Integrate with your existing identity provider via SAML or OIDC for single sign-on.

OwnerFull organisation control — billing, users, all sources, audit logs
AdminManage sources, integrations, pipelines, and team members
EditorEdit pipeline configurations, transformations, and integration settings
AnalystView analytics dashboards, event debugger, and delivery status
ViewerRead-only access to source configurations and documentation
Enterprise SSO via SAML 2.0 and OpenID Connect. MFA support.

Ready for a first-party data platform in your VPC?

Book a technical walkthrough with our engineering team. We will show you the deployment process, the security architecture, and the audit capabilities — in your environment.

Request a DemoView Security