Ginkgo Platform · Data Security

Privacy Protection by Architecture

Physical isolation, KMS encryption, identity-holdings decoupling, PDPA compliance — security is not a patch, it is the foundational design of the Ginkgo Platform.

Three-Perspective Security Framework

Family office data faces three threat categories: regulatory authority pressure, internal accidental operations, and external malicious attacks. The Ginkgo Platform addresses each at the architecture level.

Regulatory Authority

Legal Jurisdiction Isolation

Singapore-incorporated entity, governed solely by Singapore law, unaffected by compulsory disclosure requirements from other jurisdictions.

  • Incorporated in Singapore; legal entity domiciled in Singapore
  • Singapore PDPA compliance; data processing has legal basis
  • Data does not transfer across jurisdictions (TODO: confirm specific data residency policy with business team)
Accidental Access

Minimized Human Contact

Encryption keys are managed by AWS KMS; development and operations personnel do not access plaintext data or keys during routine operations.

  • AWS KMS key management; operations staff do not hold keys
  • RBAC permission model; principle of least privilege
  • MFA multi-factor authentication (TOTP/SMS/Email); prevents accidental account misuse
  • Audit logs; all critical operations are traceable
Malicious Attack

Defense in Depth

Multi-layer defense: even if one layer is breached, attackers still cannot obtain a complete picture of family holdings.

  • Identity-holdings decoupling: account identity and actual holdings stored separately
  • PDF redaction on export: sensitive fields automatically redacted in exported reports
  • AWS financial-grade infrastructure; TLS encryption throughout transmission
  • Regular third-party security audits (TODO: confirm audit firm name with business team)

Five Security Categories

Access control / Storage security / Transaction data / Holdings data / Weak linkage — five dimensions covering all aspects of family office data security.

🔑

Access Control

Who can see what, down to the field level.

  • ·RBAC role-permission model; minimum necessary permissions per job function
  • ·MFA multi-factor authentication enforced (TOTP/SMS/Email)
  • ·Session timeout and automatic logout
  • ·TODO: IP allowlist / device management policy to be confirmed with business team
🛡️

Storage Security

Data is always stored in encrypted form on disk.

  • ·AWS KMS manages encryption keys; keys are not exposed at the application layer
  • ·Storage encryption (AES-256)
  • ·AWS multi-region backup; prevents single-point data loss
  • ·Database access isolation; different clients do not share storage instances (TODO: technical details to be confirmed with business team)
📋

Transaction Data Protection

Transaction records are among the most sensitive family financial information and receive dedicated protection.

  • ·Transaction data transmission encrypted end-to-end via TLS
  • ·Transaction record access strictly limited by role
  • ·TODO: transaction data retention period / deletion policy to be confirmed with business team
📊

Holdings Data Protection

Holdings are the most confidential core family assets. Identity-holdings decoupling ensures that even if credentials leak, a complete holdings picture cannot be assembled.

  • ·Identity-holdings decoupling architecture: account ID and holdings data stored separately
  • ·Holdings snapshots physically isolated per client
  • ·PDF report export automatically redacts sensitive figures (TODO: redaction rule details to be confirmed with business team)

Security FAQ

Where is data stored? Does it cross borders?

Ginkgo Platform data is hosted on AWS Singapore region. TODO: specific cross-border data transfer policy to be confirmed with business team.

Can Ginkgo staff see my holdings data?

Ginkgo uses an identity-holdings decoupling architecture; routine operations do not involve client holdings in plaintext. AWS KMS keys are managed by AWS; operations staff do not hold them. Regular third-party security audits are conducted. TODO: specific internal access control details to be confirmed with business team.

What happens if a data breach occurs?

TODO: data breach response process and notification policy to be confirmed with business team.

What does Singapore PDPA protection mean for me?

Singapore's Personal Data Protection Act (PDPA) requires data processors to have a clear legal basis for handling data. As the data subject, you have the right to access, correct, and delete your personal data, and to know how it is being used. Ginkgo, as a Singapore-registered company, is bound by PDPA.

Has Ginkgo obtained third-party security certification?

TODO: third-party security audit firm and certification status to be confirmed with business team.

Security Is a Prerequisite for Choosing Ginkgo Platform

30 minutes to understand the complete security architecture of the Ginkgo Platform