Zafin Insights

Securing SaaS in financial services: Zafin’s response to JPMorgan’s open letter 

Share: 

April 30, 2025

Banks face rising pressure to modernize, but not at the expense of security. JPMorgan’s recent open letter to third-party SaaS providers was a clear reminder that financial institutions expect more than baseline compliance. They expect their partners to share responsibility for resilience, control, and operational continuity.  

At Zafin, we’ve engineered our SaaS platform from the ground up to meet these demands through compliance, secure-by-design architecture, customer-dedicated tenancy, and bank-controlled encryption. JPMorgan reinforces a truth we’ve long embraced – security and resilience must be built in from day one, not treated as an afterthought. That’s why Our platform was purpose-built for this moment: modular, AI-powered, and architected for trust. These are not features we added later. They’re foundational principles that drive how we design, deploy, and operate. They enable a level of access control, traceability, and policy enforcement that, in many cases, delivers security assurance on par with, and often more agile than, traditional on-premises infrastructure.  

Below, we break down how Zafin addresses the security, control, and resilience expectations surfaced in JPMorgan’s letter, and why our approach is designed to support both innovation and compliance at once. 

1. Data control and sovereignty 

JPMorgan emphasized the need for banks to retain control of their data. At Zafin, data sovereignty is a design principle. Banks maintain full ownership of their encryption keys and how their data is secured. Our customer-managed encryption framework ensures end-to-end visibility, while built-in data residency controls help meet market jurisdictional requirements. 

  • Data residency and localization options are built into our platform, ensuring compliance with jurisdictional mandates. 
  • All customer data is encrypted using bank-managed keys, not vendor-held. This ensures encryption and decryption stay in the bank’s control. 

2. Tenant Isolation and logical segregation 

In its open letter, JPMorgan flagged tenant co-mingling as a key risk, reinforcing the need for secure client segregation across systems. 

Zafin practices strict tenant isolation to ensure each client operates within its own logically separated environment. Security by design means not sharing blast radius across clients. Every client environment is logically and operationally isolated, with strict tenant boundaries enforced from access management to data storage. Sensitive workloads remain fully segmented, and we support customer-dedicated deployments for enhanced security. 

  • There’s no co-mingling of customer data or execution paths. 
  • This architectural separation supports stronger access governance and limits systemic risk. 

3. Zero-Trust architecture and least privilege access 

JPMorgan called out the need for stronger identity and access controls. We agree, and we’ve implemented zero-trust from the ground up. Our architecture is built for fault tolerance, high availability, and rapid recovery. Business continuity and disaster recovery (BC/DR) plans are maintained and tested regularly, with risk modeling and operational dependencies reviewed on cadence. 

  • Least-privilege principles govern all internal and external access. 
  • Multi-factor authentication (MFA), role-based access control (RBAC), and granular policy enforcement are standard. 
  • Every access request is logged, monitored, and independently auditable. 
  • Risk assessments are conducted regularly, incorporating threat modeling, system health reviews, and operational dependencies. 
  • Recovery time (RTO) and data recovery (RPO) objectives are periodically reviewed to ensure alignment with business continuity commitments. 

4. Operational resilience and redundancy 

JPMorgan highlighted the growing risk of outages and the need for SaaS providers to deliver robust business continuity and disaster recovery capabilities. 

At Zafin, we know that downtime isn’t an option for financial services. Here’s how we have always addressed this: 

  • Our cloud-native infrastructure supports high availability across geographies and ensures rapid recovery through automated failover and replication. 
  • Real-time monitoring and proactive alerting underpin our business continuity planning (BCP), enabling swift response to incidents and reducing recovery times. 
  • We operate under a shared responsibility model, but we assume direct accountability for platform uptime, incident response, and disaster recovery, a level of ownership aligned with JPMorgan’s expectations. 

5. Auditability and visibility 

JPMorgan emphasized the need for institutions to have visibility into how their data is used and accessed. With Zafin, clients gain real-time insight into who accessed what, when, and why, with detailed audit trails, role-based access controls, and reporting tools that support joint governance and audit readiness. 

Here’s how: 

  • Clients have transparency into data access via detailed logging, audit trails, and reporting tools. 
  • We enable oversight through role-based access controls, segregation of duties, and shared responsibility modeling. 
  • We provide complete audit trails across all modules and actions. 
  • Monitoring tools offer visibility into system activity and user behavior. 

6. Third-party risk management 

Mitigating downstream risk is a core pillar of our security model, a point explicitly reinforced in JPMorgan’s open letter, which called for tighter controls across the third-party ecosystem. 

 We apply the same rigorous standards to our vendors that we apply internally. This includes SOC 2 Type 2-aligned security assessments, contractual access governance, and continuous oversight embedded into our compliance posture. 

  • We maintain a formal Third-Party Security Management Policy that governs vendor selection, onboarding, and continuous monitoring in line with our internal controls. 
  • Our partners are required to demonstrate mature security practices, including SOC 2 or ISO 27001 certifications. 
  • All vendors must meet our contractual standards around confidentiality, access restriction, and data protection. 
  • Third-party oversight is embedded within our SOC 2 Type 2 framework to ensure alignment with our overall compliance posture. 

7. AI usage with guardrails 

As banks adopt AI-driven workflows, JPMorgan rightly flagged the need for transparency and control. 

  • Zafin Copilot and other AI capabilities are governed by human-in-the-loop design. 
  • Customers retain control over data usage and model access. 
  • No customer data is ever used to train shared models unless explicitly agreed. 

Our commitment 

We know banks can’t compromise on security to gain speed. That’s why Zafin’s modular platform is designed to accelerate product innovation while meeting the highest standards of data control, resilience, and compliance. 

As banks modernize, we’re right there with them. Not just as a SaaS vendor but also a strategic platform partner built for trust. We also know trust doesn’t end with security. Banks need resilience. They need transparency. They need confidence that their data won’t be exposed, compromised, or locked into black-box ecosystems. 

Our clients, including some of the world’s most established financial institutions, operate in one of the world’s most highly regulated and risk-conscious industries. They choose Zafin because we meet those expectations in theory and practice every day at the platform level. 

We welcome JPMorgan’s challenge to the SaaS ecosystem because it reinforces the direction we’ve always taken. Bank-grade security and platform-level transparency aren’t negotiable. They’re essential to protect trust today and to scale it for what comes next.

Connect with us

Talk to of our our industry experts to see how Zafin can help you improve your business agility