tomato pay only shares your data with your consent.

We never share your personal data without your explicit permission.

> Read our privacy policy

Types of data you can share with tomato pay and our partners

With your permission, tomato pay’s apps or our partners’ apps will use your financial data to provide services to you.

Depending on the service provided in the app, the types of data you can share may include your account number, account name, account balance, account currency, beneficiaries account name, standing order details, direct debit details, credit and debit card transaction details and account fees.

How tomato pay handles your data

Below you can see what happens when you securely connect your financial accounts using our Account Information Service (AIS) or Payment Initiation Services (PIS) to an app.

Account Information Services

> Read our AIS terms of use

Payment Initiation Services

Security Bank

Initiate a payment from your financial account by selecting your financial institution, providing the username, password and two-factor-authentication associated with the account, and confirming the payment

Security Payment

Once the payment initiation has been confirmed, your financial institution will execute the payment according to the instruction.

Security Check

tomato pay then confirms that the payment has been made. We will not hold your funds at any time when providing the payment initiation services.

For regulatory purposes we will make a record showing all of the payments made by you using the payment initiation services. Please note, this record will not include any sensitive payment data.

> Read our PIS terms of use

Designed with security in mind

Personal data is a powerful thing. No one should access it without your permission. We have ensured that we design our security practices to meet or exceed industry standards.

Security Data

Data encryption

The combination of the Advanced Encryption Standard (AES-256) and Transport Layer Security (TLS) help keep your personal information safe.

Security Cloud

Cloud infrastructure

tomato pay uses secure cloud infrastructure technologies to help you to connect your accounts quickly and securely.

Security Strong

Strong authentication

tomato pay requires multi-factor authentication for added security to help protect your data in our systems.

Security Robust

Robust monitoring

The tomato pay API and all its related components are continuously monitored by our information security team.


Data protection

At tomato pay, we make every effort to ensure that all information you provide is maintained in a secure environment. We have robust processes in place across our systems and people to ensure the correct behaviours and approaches are in place so your data remains safe and secure.

ISO 27001

ISO27001 Certification

tomato pay is ISO27001 certified and fully compliant with the internationally recognised standard for the information security management system (ISMS). The standard requires systematic examination of any risks to information security, with comprehensive policies to manage those risks put in place. By continuously updating our data security policies we ensure that we are a proactive organisation, not a reactive one.

Accredited certification to ISO27001 validates that we are following international information security best practices. This demonstrates to our customers worldwide that we take the security of their data very seriously. Certification to ISO27001 ensures that all our client’s information is kept secure and shows our ongoing commitment to delivering an exceptional service.

Cyber Security

Cyber security is critical for the safeguarding of your data. At tomato pay we recognise the importance of protecting systems, networks and data in cyber space and are proud to be Cyber Essentials certified.

The Cyber Essentials Scheme

Developed by the UK Government, the Cyber Essentials scheme, has been designed to prevent the most prevalent forms of cyber attacks. The Cyber Essentials scheme provides a higher level of assurance, tested by a qualified and independent assessor who simulates basic hacking and phishing attacks and is now a minimum requirement for bidding for some government contracts. 5 key controls required help to protect against internet-based attacks:

  • Secure configuration
  • Boundary firewalls and Internet gateways
  • Access controls and administrative privilege management
  • Patch management
  • Malware protection
Cyber Essentials