Secure Unified APIs for Financial Data: The 2026 Architecture Guide
Compare Plaid, Tink, TrueLayer, Salt Edge, and Truto for GDPR-compliant financial data integrations. Architecture, SOC 2, ISO 27001, DPA, and DORA readiness.
If you are evaluating secure unified APIs for financial data - whether for accounting, ERPs, or open banking connectivity - you need to look past the marketing pages and inspect the underlying architecture. The implicit promise of an API aggregator is that it abstracts away the pain of integrating with NetSuite, QuickBooks, Xero, and dozens of banking platforms. The hidden risk is that legacy aggregators achieve this by silently caching your customers' general ledgers, bank feeds, and personally identifiable information (PII) on their own servers. This creates a massive, unnecessary attack surface.
Security is the thing that will quietly destroy you if you get it wrong. Not the data model. Not the field mappings. Not the pricing. The security architecture of the platform you choose determines whether your next enterprise deal sails through procurement review or dies in a 47-page security questionnaire, a scenario we cover in our guide on why Truto is the best zero-storage unified API for compliance-strict SaaS.
This guide breaks down the architectural requirements for handling sensitive financial data, contrasts legacy data-hoarding aggregators with modern pass-through architectures, and provides a vendor-neutral comparison of the major platforms (Plaid, Tink, TrueLayer, Salt Edge, and Truto) so you can evaluate unified accounting and open finance APIs for GDPR-sensitive enterprise deployments.
Executive TL;DR: Top Picks for GDPR-Sensitive Financial Integrations
If you only have five minutes before your next architecture review, here's the short version. No single platform is "best" in the abstract - the right answer depends on whether your primary need is US open banking, European PSD2/AISP coverage, or SaaS-to-SaaS accounting/HRIS/ERP integrations. All rankings below assume the buyer needs both GDPR compliance and enterprise-grade security posture (SOC 2 Type II and/or ISO 27001).
1. Best for pass-through architecture and zero data retention (SaaS/ERP/accounting integrations): Truto. Pass-through proxy design means customer financial data is normalised in-flight and not persisted to disk. SOC 2 Type II completed for two consecutive years. Best fit for B2B SaaS companies integrating with QuickBooks, Xero, NetSuite, Sage, and Zoho Books, where the primary compliance goal is to keep your customers' ledger data out of a third-party database entirely.
2. Best for European open banking and PSD2 payment initiation: Tink (Visa). Licensed Payment Institution regulated by the Swedish Financial Supervisory Authority, authorised AISP and PISP across the EU, SOC 2 Type II certified, and ISO 27001 certified. Strong fit if you need pay-by-bank flows or account information services across the EEA and UK. Regulated status materially shortens your own PSD2 due-diligence work.
3. Best for UK-first open banking with mature payments rails: TrueLayer. ISO 27001:2022 certified, with a SOC 2 Type 2 audit completed every year, plus Cyber Essentials Plus. FCA-authorised and a strong option if your primary market is the UK/EU and you need Variable Recurring Payments (VRP) support.
Honourable mentions: Salt Edge for broad global bank coverage (5,000+ institutions across 50+ countries) and long-standing ISO 27001 certification; Plaid if your integration is US-first and you can accept a cache-and-serve model. All are covered in detail below.
Quick decision heuristic: If you're integrating with accounting/ERP/HRIS SaaS platforms, prioritise pass-through architecture and zero data retention. If you're integrating with banks under PSD2 or FDX, prioritise the vendor's own regulated status (AISP/PISP licence) - the licence effectively transfers regulatory scope off your balance sheet.
The State of Financial API Security in 2026
The threat landscape for application programming interfaces has shifted dramatically. Attackers no longer focus solely on traditional web application vulnerabilities; they target the APIs that connect disparate SaaS platforms. Let's start with the numbers, because they're worse than most teams realize.
57% of organizations reported experiencing an API-related data breach in the past two years. Of those, 73% experienced three or more incidents, according to the 2025 Global State of API Security report from Traceable AI and the Ponemon Institute. That's not a statistical anomaly. It's systemic failure.
Financial services get hit hardest. By industry, financial services (27%) lead all sectors in API-focused attacks, per the Thales API Threat Report (H1 2025). Across more than 4,000 monitored environments, Thales recorded over 40,000 API incidents in the first half of 2025 alone. Although APIs represent only 14% of overall attack surfaces, they now attract 44% of advanced bot traffic.
The cost of getting this wrong is concrete. Financial services organizations averaged $5.56 million per breach in 2025 - the second-highest of any sector. The ITRC 2025 report identified financial services as the single most breached industry by compromise count: 739 data compromises in 2025, the highest of any sector.
Traditional point-to-point integrations exponentially increase this attack surface. Every time your engineering team builds a direct connection to a financial system, you are managing another set of OAuth tokens, another webhook endpoint, and another data pipeline. If a developer logs a raw API response for debugging purposes, or if a webhook payload is temporarily stored in an unsecured queue, you have created a compliance violation.
Here's what makes this relevant to your unified API decision: every third-party platform you integrate with expands your attack surface. According to Verizon's 2025 Data Breach Investigations Report, 30% of breaches involved a vendor or 3rd party. If you're using an API aggregator that stores your customers' financial data, you've just inherited their security posture as your own risk.
At the same time, the adoption of standardized, secure open finance APIs is accelerating rapidly. The Financial Data Exchange (FDX) reported that 42 million consumer accounts use its API for open finance data sharing, generating 3.4 billion API calls per month. Engineering leaders at B2B SaaS companies are caught in the middle. Product managers demand faster integration delivery to unblock sales, while security teams demand stricter data controls. For more context on the risks of traditional integration approaches, read our guide on the Security Implications of Using a Third-Party Unified API.
What Makes a Unified API "Secure" for Financial Data?
A unified API for financial data connects your application to systems like QuickBooks, Xero, NetSuite, and Sage through a single interface. Defining security in the context of API integration goes far beyond encrypting data in transit. It requires a fundamental shift in how data is processed, retained, and authorized.
A secure unified API for financial data must meet three architectural requirements:
- Zero data retention (Data residency discipline): It must act as a pass-through proxy, never storing financial payloads at rest in a persistent database. Does the platform store your customers' financial records at rest? If yes, for how long? Where?
- Delegated authorization (Lifecycle management): It must use tokenized OAuth connections so raw credentials never touch the consuming application. How are OAuth tokens stored, rotated, and scoped? What happens when a refresh token expires?
- Transparent rate limiting (Error propagation): It must pass HTTP 429 errors directly to the client rather than silently caching, absorbing, or retrying failed requests.
Legacy data aggregators - platforms built in the screen-scraping era - were designed to ingest, store, and re-serve financial data. They run background sync jobs that pull data from third-party APIs, store it in their own massive multi-tenant databases, and serve it to you via their API. That made sense when the alternative was literally parsing HTML from bank login pages. But in 2026, that architecture is a liability. If you use one of these platforms, your vendor is now a secondary breach target.
The shift is visible in the standards landscape. As of early 2026, the Financial Data Exchange reports that over 130 million consumer accounts are now connected via the FDX API, up from 114 million in mid-2025. FDX is a non-profit organization dedicated to unifying the financial industry around a common, interoperable, royalty-free standard for secure and convenient consumer and business access to their financial data. The direction is clear: token-based, consent-driven, API-first access - not credential-hoarding intermediaries.
In the broader fintech ecosystem, market leaders have already recognized this flaw. Plaid dominates the open banking space by focusing heavily on consumer-permissioned data sharing and OAuth connectivity. MX positions its Data Access solution around FDX standards, utilizing tokenized Direct API and OAuth connections so credentials never leave the organization. B2B SaaS companies integrating with accounting systems, ERPs, and HRIS platforms must demand the exact same architectural rigor.
When evaluating any unified API platform for financial integrations - and determining which unified API does not store customer data in 2026 - you're really choosing between two architectures:
| Architecture | Data at rest? | Breach blast radius | Compliance burden |
|---|---|---|---|
| Cache-and-serve | Yes - synced copies stored | Platform is a secondary breach target | You inherit their data residency obligations |
| Pass-through proxy | No - data normalized in-flight | Platform holds no exploitable data | Dramatically simpler compliance scope |
Neither is inherently "wrong." Cache-and-serve models are useful if you need offline analytics or if the upstream API has brutal rate limits. But for financial data - invoices, payments, journal entries, employee payroll data - the security calculus strongly favors pass-through architectures.
Methodology and Evaluation Criteria
Before we compare specific vendors, here's how the evaluation below is structured. Any procurement review or RFP should cover the same ground.
GDPR mapping
GDPR is not a certification; you cannot buy your way to compliance. GDPR has no certification process. Compliance is self-regulated, and your company must document and implement required controls. Regulatory authorities can investigate and impose fines if violations are found. That said, when a vendor processes personal data on your behalf, GDPR Articles 28 (processor obligations), 32 (security of processing), 33 (breach notification), and 44-49 (international transfers) become the operative controls you need evidence for. Practically, that means:
- A signed Data Processing Agreement (DPA) with Article 28 clauses.
- A published subprocessor list with geographic locations and processing purposes.
- Standard Contractual Clauses (SCCs) or equivalent transfer mechanism for any data leaving the EEA.
- 72-hour breach notification commitments in contract.
- Support for data subject rights (access, erasure, portability) - even more relevant when the vendor caches data.
DORA and PSD2
If your customers are EU financial entities, the Digital Operational Resilience Act (DORA) applies to them from January 2025 and, by extension, to their critical ICT third-party providers - including your unified API vendor. Look for DORA-aligned contractual clauses (exit strategies, audit rights, incident reporting SLAs).
For open banking specifically, PSD2 (and the incoming PSD3/PSR package) requires that any third party accessing payment accounts be a licensed AISP or PISP. If your vendor holds that licence themselves, the regulatory burden shifts to them rather than to you. A comparative analysis of PSD2 with cybersecurity frameworks (NIS2, Cybersecurity Act, GDPR, ISO 27001:22 and PCI DSS) shows a lack of harmonisation and clarity concerning the technical security specifications for its effective implementation. Translation: the licence itself matters more than any vendor marketing about "PSD2-ready."
Security controls we grade on
- SOC 2 Type II - not Type I. Type I is point-in-time; Type II covers a monitoring period, typically 6-12 months.
- ISO/IEC 27001:2022 - the international ISMS standard. ISO 27001 results in a formal certification, while SOC 2 produces an attestation report. ISO 27001 certificates are valid for three years and can be publicly displayed on your website.
- ISO/IEC 27701 - privacy extension. Useful evidence for GDPR conversations.
- Pass-through vs cache-and-serve architecture.
- DPA availability without going through enterprise sales.
- Published subprocessor list with geographies.
- Rate-limit and retry behaviour - transparent propagation vs silent absorption.
- Regulatory licensing (AISP/PISP under PSD2, FCA authorisation, FDX participation).
Vendor Comparison: Architecture, Certifications, DPA, Retention
The table below summarises the current public posture (as of mid-2026) of the five most commonly shortlisted platforms for compliance-sensitive financial integrations. Every claim in this table is verifiable from the vendor's public trust centre or documentation; links to primary sources are in the Appendix.
| Vendor | Primary use case | Architecture | SOC 2 Type II | ISO 27001 | DPA available | Data retention | PSD2/FDX status | Rate-limit behaviour |
|---|---|---|---|---|---|---|---|---|
| Truto | Unified SaaS/ERP/accounting APIs (QuickBooks, Xero, NetSuite, Sage, Zoho Books, HRIS, CRM) | Pass-through proxy | Yes (2 consecutive years) | In progress / roadmap | Yes | Zero at rest; in-flight normalisation only | FDX-aware for accounting; not a licensed AISP/PISP | Transparent - IETF ratelimit-* headers propagated |
| Plaid | US-first open banking (bank connectivity, account/identity/transactions) | Cache-and-serve (background sync + stored account data) | Yes (SSAE18 SOC 2) | Yes (ISO 27001 + ISO 27701) | Yes | Data persisted for consumer-permissioned access | FDX participant; regulated in some jurisdictions | Vendor-managed; internal retries |
| Tink (Visa) | European PSD2 open banking, AIS + PIS, pay-by-bank | Regulated aggregator; PSD2 dedicated interfaces | Yes | Yes | Yes | Data cached for AIS use cases | Licensed AISP + PISP across EEA and UK | Vendor-managed; regulated response codes |
| TrueLayer | UK/EU open banking payments, VRP, data | Regulated aggregator | Yes (annual) | Yes (ISO 27001:2022) | Yes | Data cached for AIS + payments use cases | Licensed PISP/AISP in UK/EU; FCA-authorised | Vendor-managed; internal retries |
| Salt Edge | Global bank aggregation (5,000+ institutions across 50+ countries) + PSD2 compliance tooling for banks | Regulated aggregator | Not publicly attested | Yes (ISO 27001) | Yes | Data cached with tokenised encryption | FCA-registered AISP under PSD2 | Vendor-managed |
How to reuse this table for procurement: Copy it into your RFP spreadsheet, add columns for pricing, SLA, and support region, and turn each cell into a question in your security questionnaire. If a vendor rep can't answer any single column from memory or point you to their trust centre in under two minutes, that itself is a signal.
A note on comparability
These platforms are not perfectly substitutable. Truto sits in the SaaS-to-SaaS unified API category (accounting, HRIS, CRM, ERP), while Plaid, Tink, TrueLayer, and Salt Edge are primarily bank connectivity / open banking providers. Many companies end up using one from each category. The comparison is useful because the same security questions apply across both categories, and buyers frequently evaluate them together when the use case involves "pull financial data from wherever the customer keeps it."
Per-Vendor Notes and Evidence Links
Truto
What it is: Unified API for accounting, HRIS, CRM, ERP, ATS, and 20+ other categories, built on a pass-through proxy architecture. Data is normalised in-flight during the HTTP request lifecycle and not persisted at rest.
Security posture: SOC 2 Type II completed for two consecutive audit periods. DPA available. Signed webhook payloads (HMAC-SHA256). Transparent rate-limit propagation using IETF-standard ratelimit-limit, ratelimit-remaining, and ratelimit-reset headers regardless of the upstream provider's native format.
Pros:
- Zero data retention shrinks GDPR scope materially - you don't inherit the vendor's data residency posture.
- Write support (full CRUD) across accounting providers, not read-only.
- Proxy API fallback for endpoints not covered by the unified schema.
Cons:
- Not a licensed AISP/PISP; not the right choice for PSD2 payment initiation flows.
- ISO 27001:2022 certification is on the roadmap rather than in hand at time of writing - verify current status in the trust centre before signing.
- Pass-through means no local cache to serve reads during upstream outages.
Best fit: B2B SaaS companies with strict security review processes integrating with accounting, HRIS, CRM, or ERP platforms.
Plaid
What it is: The dominant open banking platform in North America, with strong European presence via its EU entity. Primarily a data aggregator with growing payments capabilities.
Security posture: Plaid is certified in internationally-recognized security standards, like ISO 27001, ISO 27701, and is SSAE18 SOC 2 compliant. Public trust centre lists SOC 2 Type 2, ISO 27001, ISO 27701, and TruSight. Plaid also adheres to other regulatory standards such as GDPR and PSD2.
Pros:
- Broadest US bank coverage of any provider.
- Mature developer experience with well-documented SDKs and Link UI.
- Multi-jurisdiction regulatory posture.
Cons:
- Cache-and-serve architecture means Plaid holds your users' bank data, which expands your GDPR and DPIA scope.
- Historical class-action settlement in the US (2022) over data collection practices - worth reading before finalising a DPA.
- Less compelling in Europe than Tink or TrueLayer for pay-by-bank use cases.
Best fit: US-first fintech products where breadth of institution coverage outweighs strict zero-retention requirements.
Tink (Visa)
What it is: Visa-owned European open banking platform aggregating 6,000+ EU/UK banks. Strong on payment initiation ("pay-by-bank").
Security posture: Licensed Payment Institution regulated by the Swedish Financial Supervisory Authority (Finansinspektionen); Authorized AISP and PISP across the EU; FCA authorized in the UK through Tink Financial Services Limited; SOC 2 Type II certified; ISO 27001 certified. Tink does not use consent as a legal basis under the GDPR, which affects how you draft privacy notices when using their APIs.
Pros:
- Regulated status shifts significant PSD2 compliance weight off your organisation.
- Best-in-class European bank coverage.
- Strong PIS/pay-by-bank capabilities.
Cons:
- Data model is European-first; less compelling for US integrations.
- As with any regulated aggregator, data is cached for AIS use cases; expect a fuller DPIA than a pure pass-through vendor.
- Post-Visa acquisition, roadmap decisions increasingly reflect Visa's strategic priorities.
Best fit: European fintechs and B2B SaaS platforms serving EEA/UK customers who need PIS + AIS.
TrueLayer
What it is: UK-headquartered open banking payments and data platform, strong on Variable Recurring Payments and pay-by-bank.
Security posture: ISO 27001:2022 certified; Cyber Essentials basic and Plus; SOC 2 Type 2 audit completed every year; policy library aligned to ISO27001:2022 requirements and audited on a regular basis. ISO 27001 certified by BSI since December 2017. FCA-authorised.
Pros:
- Longest continuous ISO 27001 history among open banking platforms.
- Mature UK VRP support.
- Strong DORA readiness given UK/EU regulatory footprint.
Cons:
- Coverage skews UK/EU; less useful outside those markets.
- Payment-first product design means data-only use cases may be better served elsewhere.
Best fit: UK and EU merchants and fintechs needing pay-by-bank rails or account information services.
Salt Edge
What it is: Global financial data aggregation platform with connections to 5,000+ institutions across 50+ countries, plus a PSD2 compliance toolkit for banks that need to expose their own APIs.
Security posture: Salt Edge is ISO 27001 certified in scope of "developing, managing, and providing financial IT services," as well as PCI DSS compliant. Uses multiple encryption layers as well as tokenisation technology; the entire communication is done via TLS encrypted channels; credentials are encrypted at least twice and can be accessed only with one-time tokens. Registered as Account Information Service Provider by the UK's FCA under PSD2.
Pros:
- Widest global bank coverage of the vendors compared here.
- Long-standing ISO 27001 certification (since 2018).
- Dual product line (aggregation + bank-side PSD2 tooling) is unusual and useful.
Cons:
- No publicly attested SOC 2 Type II - verify current status if this is a hard requirement.
- Cache-and-serve model with encrypted credential storage; higher DPIA surface than a pass-through vendor.
Best fit: Products needing global bank coverage beyond the US/EU/UK core, or banks needing to build their own PSD2-compliant interfaces.
Zero Data Retention: The Pass-Through Architecture
The most effective way to secure financial data is to not store it. Zero data retention means the unified API platform acts as a translation layer that normalizes data in-flight without persisting your customers' financial records to disk.
Instead of syncing and storing data, a pass-through proxy translates requests and normalizes responses entirely in memory during the lifecycle of the HTTP request.
graph TD
subgraph Caching Aggregator
A1[Client Application] -->|API Request| B1(Vendor API)
B1 --> C1[(Vendor Database<br>Stores Customer Data)]
C1 --> D1[Background Sync Jobs]
D1 --> E1[Third-Party Financial API]
end
subgraph Pass-Through Proxy
A2[Client Application] -->|Unified API Request| B2(Proxy Layer)
B2 -->|In-Memory Translation| C2[Third-Party Financial API]
C2 -->|Native Response| B2
B2 -->|In-Memory Normalization| A2
endWhen your application requests a list of invoices via a pass-through unified API, the platform routes the request to the proxy layer. The engine loads a declarative mapping configuration for the specific provider. It translates the unified query parameters into the provider's native format, dispatches the request, receives the native JSON response, applies a transformation to map it back to the unified schema, and returns the response to your application.
This matters for three concrete reasons:
1. You eliminate the platform as a breach target. If the unified API vendor gets compromised, attackers find OAuth connection metadata - not your customers' Chart of Accounts, invoice line items, or employee salary data. The blast radius shrinks from "full financial data exfiltration" to "connection re-authentication."
2. Compliance scope contracts dramatically. A SOC 2 Type II audit for a platform that stores financial data at rest requires controls around data encryption at rest, key rotation, data retention policies, data deletion procedures, and geographic residency. A pass-through platform sidesteps most of these controls because the data never lands. This isn't theoretical - SOC 2 is not a legal requirement, unlike HIPAA or GDPR. But in practice, it may feel mandatory, especially when prospective clients won't sign until they see your SOC 2 report, and procurement teams demand it during security reviews.
3. GDPR and data sovereignty become tractable. If the platform doesn't hold customer data, you don't need to worry about the platform's data residency region violating your customer's data sovereignty requirements. The data transits through the platform and lands in your infrastructure, where you control the geography.
The honest trade-off: Pass-through architectures mean every read operation hits the upstream API in real-time. If QuickBooks goes down, your integration goes down. If Xero rate-limits you, you're rate-limited. There's no local cache to fall back on. For most financial integration use cases (invoice creation, payment recording, report generation), this is acceptable. For high-frequency analytics workloads, you'll want to build your own cache layer on top.
Truto uses a pass-through proxy architecture specifically for this reason - it normalizes data from accounting providers like QuickBooks, Xero, NetSuite, and Zoho Books without storing the underlying financial records. For a deeper technical dive, see Zero Data Retention for AI Agents.
The Security Benefits of Zero Integration-Specific Code
Beyond data retention, the codebase itself represents a security risk. Most integration platforms maintain separate code paths for each provider - custom scripts, dedicated handler functions, and hardcoded business logic. Adding a new integration means writing new code, which increases the surface area for vulnerabilities.
Modern platforms eliminate this risk by utilizing generic execution pipelines. Integration-specific behavior is defined entirely as data: JSON configuration blobs and declarative expressions (like JSONata) in model definitions. The runtime engine is a generic pipeline that reads this configuration and executes it without any awareness of which integration it is running.
Because the platform contains zero integration-specific code, the execution path is highly standardized, heavily audited, and far less prone to the edge-case bugs that plague custom integration scripts.
How to Handle Authentication and Rate Limits Securely
Authentication state is the only piece of provider data that a unified API must persist. This means securely storing encrypted access and refresh tokens.
OAuth Token Lifecycle Management
OAuth is the standard authentication mechanism for financial APIs. QuickBooks Online uses OAuth 2.0 with refresh tokens that expire after 100 days of inactivity. Xero uses OAuth 2.0 with 30-minute access tokens. NetSuite supports OAuth 1.0a with token-based authentication (and yes, it's as painful as it sounds).
A secure unified API platform must handle token storage, proactive refresh, and failure recovery without exposing credentials to your application. The key behaviors to look for:
- Encrypted credential storage: OAuth tokens at rest must be encrypted. This is table stakes but you'd be surprised how many platforms fail here during security audits.
- Proactive token refresh: The platform should refresh access tokens before they expire, not after your request fails with a 401. Truto refreshes OAuth tokens shortly before they expire, so API calls don't fail due to stale credentials.
- Concurrency controls: If multiple background workers attempt to refresh a token simultaneously, the platform must queue the secondary requests and wait for the primary refresh to complete, ensuring the token chain remains intact. Losing a refresh token in production requires the end-user to re-authenticate, which damages trust.
- Failure visibility: If a refresh token is revoked, your application needs to know immediately - not discover it when a customer reports broken data.
Rate Limit Handling: Why Transparency Beats Magic
This is where many unified API vendors make a critical design mistake: they silently absorb rate limit errors, internally queue and retry requests, and present the illusion that the upstream API has no limits. That feels great in a demo. It's a disaster in production.
Why? Because silent retry creates unpredictable latency spikes, masks capacity problems until they compound, and - worst of all - can cause duplicate writes if idempotency isn't handled perfectly. If your application creates an invoice, hits a rate limit, and the platform silently retries, you might end up with two invoices on the customer's books.
From a security perspective, if a unified API caches a request to retry it, it is storing sensitive financial data in an opaque queue outside of your control.
The architecturally sound approach is transparent rate limit propagation. When an upstream API returns HTTP 429, the platform passes that error directly to your application along with standardized rate limit headers so you can implement your own backoff logic.
Truto takes this approach: it normalizes upstream rate limit information into IETF-standard headers (ratelimit-limit, ratelimit-remaining, ratelimit-reset), regardless of how the upstream provider formats that information.
HTTP/1.1 429 Too Many Requests
ratelimit-limit: 100
ratelimit-remaining: 0
ratelimit-reset: 60
Content-Type: application/json
{
"error": "Rate limit exceeded. Please retry after 60 seconds."
}Your code handles the retry. You keep control.
// Example: Handling rate limits from a unified API with IETF headers
async function fetchInvoices(accountId: string): Promise<Invoice[]> {
const response = await fetch(
`https://api.example.com/unified/accounting/invoices?integrated_account_id=${accountId}`,
{ headers: { 'Authorization': `Bearer ${API_TOKEN}` } }
);
if (response.status === 429) {
const resetEpoch = response.headers.get('ratelimit-reset');
const remaining = response.headers.get('ratelimit-remaining');
const waitMs = resetEpoch
? (parseInt(resetEpoch) * 1000) - Date.now()
: 5000; // fallback
console.warn(
`Rate limited. Remaining: ${remaining}. Retrying in ${waitMs}ms.`
);
await sleep(waitMs);
return fetchInvoices(accountId); // retry with backoff
}
if (!response.ok) throw new Error(`API error: ${response.status}`);
return response.json();
}Webhook Signature Verification
Incoming third-party webhooks present another security challenge. A secure unified API receives webhooks from platforms like Salesforce or Xero, normalizes the event data, and delivers it to your endpoints.
To ensure integrity, the platform must sign outbound payloads using a standardized format. For example, Truto includes an X-Truto-Signature header containing an HMAC-SHA256 hash of the payload. Your application verifies this signature using your workspace secret, mathematically proving the event originated from the proxy layer and was not spoofed by a malicious actor.
Performance and Operational Tradeoffs
Every security choice in this space has a corresponding operational cost. Pretending otherwise is how you end up with a beautiful architecture diagram and a customer support ticket queue.
Latency
Pass-through proxy: Adds one network hop between your app and the upstream provider - typically 50-150 ms for cross-region traffic. That's the cost of not holding data. For write-heavy workloads (create invoice, post payment), this is negligible compared to upstream API latency itself. For high-volume read workloads (analytics, dashboards), it can add up.
Cache-and-serve: Sub-100 ms reads served from the aggregator's cache. Excellent for dashboards, painful for compliance. You are trading latency for a much larger DPIA and a shared breach fate with your vendor.
Practical guidance: For most B2B SaaS accounting/HRIS use cases, the pass-through latency penalty is invisible to users. If you're building a personal finance dashboard that renders 90 days of transaction history on every page load, cache-and-serve is the honest choice - but pair it with a stricter vendor security review.
Retry behaviour and idempotency
Silent retries hide problems. Transparent retries make you handle them. The right answer depends on whether writes are idempotent on the upstream side.
- QuickBooks Online invoice creation is not idempotent by default. A retry after a network timeout can produce a duplicate invoice.
- Xero supports an idempotency key header on most write endpoints, but it must be set explicitly.
- NetSuite varies by record type; SuiteQL calls are effectively read-safe, but record inserts through the REST API can duplicate.
If your unified API vendor retries silently and does not pass an idempotency key through to the upstream, you are one flaky network hop away from double-posting to a customer's ledger. Ask the vendor directly: "When you retry a POST request internally, what identifier prevents duplicate writes upstream?" A vague answer is a red flag.
Rate-limit ceilings
Upstream financial APIs have hard limits that no aggregator can raise:
- QuickBooks Online: 500 requests per minute per realm.
- Xero: 60 calls per minute, 5,000 calls per day per organisation.
- NetSuite: 5 concurrent requests per account (SuiteTalk); higher for REST if you have SuiteCloud Plus.
Any vendor claiming "unlimited API calls" is either buffering (which introduces latency and duplicate-write risk) or lying. A transparent vendor propagates the upstream limit to you and lets you decide how to schedule work.
Availability and dependency chains
A pass-through vendor's availability is bounded above by the upstream provider's availability. If QuickBooks Online is down, your integration is down - no cache can save you. A cache-and-serve vendor can absorb some upstream downtime for reads, but writes still fail. Design your product accordingly: queue writes on your side, expose "upstream unavailable" states clearly to end users, and don't promise real-time SLAs that depend on someone else's uptime.
Procurement Checklist and Sample DPA/RFP Questions
When you're running a vendor evaluation, marketing pages will tell you everything works perfectly. Security reviews tell the truth. Here's the vendor-neutral checklist we recommend for any PM or engineering lead evaluating unified APIs for financial data. Each item includes what an acceptable answer looks like.
Certification and Audit Posture
- SOC 2 Type II report covering at least 6 months of operating effectiveness. Acceptable answer: Vendor provides the report under NDA within 48 hours, dated within the last 12 months. Type II tests whether controls operate effectively over a period of several months. Most enterprise clients require Type II for stronger assurance. Truto has completed its SOC 2 Type II audit for two consecutive years.
- ISO/IEC 27001:2022 certificate with a valid, publicly verifiable certificate number and named accreditation body (BSI, TÜV, EY, etc.). Acceptable answer: Copy of certificate plus Statement of Applicability.
- Penetration test summary from a named third-party firm, dated within the last 12 months. Acceptable answer: Executive summary letter with methodology, scope, and remediation status. Refusal is a hard no.
- Bug bounty programme with public scope. Acceptable answer: URL to programme page and disclosure timeline.
DPA and Data Handling
- Signed DPA with Article 28 clauses available before contract signing. Acceptable answer: A pre-drafted DPA on the trust centre, not a "we'll get to it" from sales.
- Standard Contractual Clauses (SCCs) for EEA-to-third-country transfers. Acceptable answer: Module 2 (controller-to-processor) SCCs incorporated into the DPA by reference.
- Subprocessor list with geographies and a mechanism to notify you of changes. Acceptable answer: Public URL that lists each subprocessor, their processing purpose, and hosting region. A commitment to notify 30 days before adding new subprocessors is standard.
- Breach notification SLA. Acceptable answer: Written commitment to notify within 72 hours of confirmation, aligning to GDPR Article 33.
- Data deletion process on contract termination. Acceptable answer: Documented procedure with certifiable timeline (30-90 days).
Data Architecture
- Pass-through verification. Acceptable answer: Written statement in the DPA or MSA confirming that customer financial data is not persisted at rest, with an architecture diagram showing the request lifecycle. Ask specifically how they handle data during JSON normalization and transformation.
- Encryption in transit. TLS 1.2 minimum, TLS 1.3 preferred.
- Encryption at rest for the data they do store (OAuth tokens, configuration). Acceptable answer: AES-256 with named key management provider and documented key rotation schedule.
- Credential isolation. Acceptable answer: OAuth tokens for different customers stored under cryptographically isolated envelopes, not a shared namespace.
API Security Controls
- Rate limit transparency. Acceptable answer: Upstream rate limits surfaced via IETF-standard
ratelimit-*headers or equivalent, with documentation. - Idempotency support on writes. Acceptable answer: Vendor either passes your idempotency key through to the upstream API or documents exactly how it prevents duplicates on retry.
- Signed outbound webhooks. HMAC-SHA256 minimum. Acceptable answer: Documentation showing how to verify signatures on your end.
- Error fidelity. Acceptable answer: Upstream 4xx and 5xx errors propagated with the original body and headers preserved. Vendor-obscured error messages are a red flag.
Integration Architecture
- Standardised data models and write support. Can you create invoices, record payments, and post journal entries using a unified schema? Many unified APIs are read-only for accounting - which is useless for most real use cases. Truto supports full CRUD operations across providers like QuickBooks, Xero, and NetSuite, which is why it's considered the best unified accounting API for B2B SaaS and AI agents.
- Enterprise edge-case support. Ask how the platform handles complex enterprise requirements. For example, NetSuite integrations often require falling back to SuiteQL for custom schema detection, or handling multi-currency environments. If the unified API cannot handle these without custom code, it is not enterprise-ready.
- Proxy API fallback. When the unified model doesn't cover a specific endpoint, can you drop down to the raw provider API through the same authenticated connection? For more on this pattern, see our Proxy API Architecture Guide.
Sample RFP questions to paste directly into your questionnaire
- "Please describe your data retention model for customer financial data. Do you persist any of it at rest? If yes, list every category, retention period, and geographic location."
- "Please provide your most recent SOC 2 Type II report and ISO/IEC 27001:2022 certificate."
- "Please provide your current subprocessor list, including processing purpose and hosting region for each."
- "Under our DPA, will you sign SCCs incorporating Module 2 clauses for any EEA-to-US transfers?"
- "How do you handle upstream HTTP 429 responses? Do you retry internally, or propagate the error?"
- "When retrying a POST request internally (if you do), what mechanism prevents duplicate writes on the upstream system?"
- "How is your service architected to comply with DORA's ICT third-party provider requirements for our EU financial entity customers?"
- "On contract termination, what is the timeline and evidence you provide for deletion of all customer-related data, including logs?"
Architectural red flag: If a vendor claims they can instantly return historical accounting data the moment a user connects their account, they are running background sync jobs and storing that data on their servers. You cannot have instant historical reads without persistent data retention.
Why this checklist matters financially: The global API security market size was over $10.8 billion in 2025 and is estimated to reach $46.1 billion by the end of 2035, according to Research Nester. Enterprise buyers are spending real money on API security. If your integration vendor can't pass their security review, you're the one who loses the deal.
Building a Zero-Trust Integration Strategy
Security vendors like AppSentinels and Traceable AI consistently highlight the failure of traditional Web Application Firewalls (WAFs) against API-specific attacks. WAFs look for known attack signatures; they cannot understand the complex business logic or authorization flaws inherent in fragmented SaaS integrations.
The concept of Zero Trust - "never trust, always verify" - applies directly to how you architect third-party financial integrations. Here's what that looks like in practice:
Minimize credential scope. When connecting to an accounting provider, request only the OAuth scopes you actually need. Don't ask for full admin access to create invoices when you only need read access to the Chart of Accounts. A well-designed unified API platform lets you configure scopes per integration.
Treat the unified API as an untrusted boundary. Even if you trust the platform, architect your application as if you don't. Validate response schemas on your side. Implement idempotency keys on all write operations. Log every API interaction with enough context to reconstruct what happened during an incident.
Centralize your integration surface. One of the underappreciated security benefits of a unified API is that it collapses dozens of point-to-point integrations into a single, auditable surface. Instead of managing OAuth credentials, webhook endpoints, and error handling for QuickBooks AND Xero AND NetSuite AND Sage individually - each with different security characteristics - you manage one connection to the proxy layer.
FinServ organizations have continued to grow their cloud environments, with the average number of SaaS applications in use rising from 84 last year to 107 this year - a 27% increase. And, as cloud adoption grows, so does the sensitivity of data stored on these platforms: the average proportion of cloud data classified as "sensitive" rose from 44% in 2024 to 59% in 2025. With that kind of growth, point-to-point integrations don't scale from a security governance perspective.
Just over two in five FinServ organizations (41%) use more than 500 APIs, while 22% use more than 1,000. Each one of those APIs is a potential attack vector. Consolidating financial data access through a single, well-audited unified layer isn't just an engineering convenience - it's a security architecture decision.
graph LR
A[Your Application] -->|Single API key<br>TLS 1.2+| B[Unified API Layer]
B -->|OAuth 2.0| C[QuickBooks]
B -->|OAuth 2.0| D[Xero]
B -->|OAuth 1.0a / TBA| E[NetSuite]
B -->|OAuth 2.0| F[Sage]
B -->|OAuth 2.0| G[Zoho Books]
subgraph SecurityPerimeter ["Security Perimeter"]
B
endOne integration surface. One security review. One set of credentials to manage.
The alternative - maintaining separate integrations for each provider - means separate OAuth apps, separate credential stores, separate webhook verification logic, and separate audit trails. Broken authentication was the culprit in 52% of API breach incidents, according to Wallarm's 2026 API ThreatStats Report. Every separate authentication flow you maintain is another place where broken auth can bite you.
What This Means for Your Next Integration Decision
The API security landscape is only getting more hostile. API vulnerability exploitation grew 181% in 2025. In banking and financial services, vulnerability attacks increased 149% year over year. The decision framework to avoid accumulating security debt is straightforward:
-
If you're handling financial data, default to pass-through architectures. The compliance simplification alone is worth it. The data never lands in a third-party database, which means your customers' financial records can't be exfiltrated from a platform you don't control.
-
Demand transparent error handling. Any vendor that silently retries your write operations to an accounting system is making a bet with your customer's ledger accuracy. You should be the one making that bet, with full visibility into what's happening.
-
Verify certifications, not marketing claims. Ask for the SOC 2 Type II report, not the blog post about it. Ask for the pen test summary, not the security page. Ask for the sub-processor list, not the trust center badge.
-
Consolidate your attack surface. If you're integrating with five accounting providers today and your PM is already asking about the sixth, a unified API isn't just an efficiency play - it's a security reduction strategy. One integration to audit beats six.
Building financial integrations does not have to mean compromising your security posture. By insisting on zero data retention, transparent rate limit delegation, and generic execution pipelines, B2B SaaS teams can ship integrations fast while keeping their customers' financial data entirely under their own control.
Appendix: Sources and How to Verify Vendor Claims
Vendor marketing is not evidence. For every claim in the comparison table above, verify against a primary source before signing. The list below is where to look.
Primary trust artifacts (verify these directly)
- Truto: Trust centre with SOC 2 Type II report request flow, DPA, and subprocessor list.
- Plaid: security.plaid.com - lists SOC 2 Type 2, ISO 27001, ISO 27701, TruSight. Request reports through the trust centre.
- Tink: Public documentation at tink.com and legal FAQ at tink.com/legal/faq. Regulatory status verifiable via the Swedish Financial Supervisory Authority (Finansinspektionen) register.
- TrueLayer: trust.truelayer.com - lists ISO 27001:2022, SOC 2 Type 2, Cyber Essentials Plus, and provides pentest reports on request.
- Salt Edge: saltedge.com/company/security - lists ISO 27001, PCI DSS, and PSD2 AISP registration. UK FCA register confirms authorised status.
How to verify each claim category
- SOC 2 Type II: Request the actual report under NDA. Look for the audit period (should be 6-12 months), the auditing firm, and any qualified opinions in the Independent Service Auditor's Report section.
- ISO 27001: Ask for the certificate PDF. Verify the certificate number against the accreditation body's public registry (BSI, TÜV, Schellman, etc.). Ask for the Statement of Applicability - if the vendor hesitates, the certification may be shallower than advertised.
- PSD2 AISP/PISP status: Every EU regulator maintains a public register. For example, the UK FCA register at register.fca.org.uk shows firms authorised as AISPs and PISPs. Look up the exact legal entity name from the vendor's DPA.
- GDPR posture: GDPR is not certifiable, so accept no vendor claim of "GDPR certified." Instead, review the DPA for Article 28 clauses, SCCs, and Article 32 security measures. Look at the vendor's own privacy notice - if it's boilerplate, so is their programme.
- DORA readiness: For EU financial entity customers, ask for the vendor's DORA gap assessment and any contractual clauses aligning to the ICT third-party provider requirements.
Independent references cited in this guide
- Ponemon Institute / Traceable AI, 2025 Global State of API Security.
- Thales, API Threat Report H1 2025.
- Identity Theft Resource Center, 2025 Annual Data Breach Report.
- Verizon, 2025 Data Breach Investigations Report.
- Wallarm, 2026 API ThreatStats Report.
- Financial Data Exchange (FDX), 2026 ecosystem metrics.
- Research Nester, API Security Market Size 2025-2035.
If a vendor's own trust centre contradicts anything in the comparison table above, defer to the trust centre - and let us know so we can update the guide.
FAQ
- What's the most secure unified API platform for GDPR-compliant financial data?
- There is no single answer - it depends on the use case. For SaaS-to-SaaS accounting, HRIS, ERP, or CRM integrations, a pass-through proxy like Truto minimises GDPR scope because customer financial data is not persisted at rest. For European open banking under PSD2, Tink and TrueLayer are strong choices because they hold their own AISP/PISP licences, which shifts regulatory weight off your organisation. For US-first open banking, Plaid remains the coverage leader. All of these providers publish SOC 2 and/or ISO 27001 evidence in their trust centres.
- How do Plaid, Tink, TrueLayer, and Salt Edge compare on SOC 2 and ISO 27001?
- Plaid publishes SOC 2 (SSAE18), ISO 27001, and ISO 27701. Tink is SOC 2 Type II certified and ISO 27001 certified, plus an authorised AISP/PISP across the EEA and UK. TrueLayer is ISO 27001:2022 certified (since 2017) with annual SOC 2 Type 2 audits. Salt Edge is ISO 27001 certified and PCI DSS compliant, and is a UK FCA-registered AISP under PSD2; it does not publicly attest to SOC 2 Type II. Always verify current status against the vendor's own trust centre before signing.
- Does GDPR require a specific certification for financial API vendors?
- No. GDPR has no certification process. Compliance is self-regulated: you and your processor must document and implement Article 28 (processor obligations), Article 32 (security of processing), Article 33 (breach notification), and Chapter V (international transfers) controls. Practically, ask for a signed DPA with SCCs, a published subprocessor list with geographies, and a 72-hour breach notification commitment. ISO 27001 and SOC 2 Type II are useful supporting evidence but not GDPR itself.
- What is DORA and does it apply to unified API vendors?
- The Digital Operational Resilience Act (DORA) applies to EU financial entities from January 2025 and, by extension, to their critical ICT third-party providers - which can include your unified API vendor. Look for DORA-aligned contractual clauses covering exit strategies, audit rights, incident reporting SLAs, and subcontractor oversight. If you serve EU banks, insurers, or investment firms, ask each shortlisted vendor for their DORA gap assessment.
- Is a pass-through unified API always better than cache-and-serve for financial data?
- Not always. Pass-through architectures dramatically reduce GDPR and breach scope because the vendor never stores your customers' financial records at rest. The tradeoff is that every read hits the upstream API, so latency is bounded by the provider and there is no local cache during outages. For write-heavy accounting or ERP integrations, pass-through is almost always the right choice. For read-heavy analytics dashboards that render 90 days of transaction history on every page load, cache-and-serve may be justified - paired with a stricter vendor DPIA.