Savemates.com business plan
-
Upload
nick-marsh -
Category
Business
-
view
3.977 -
download
0
description
Transcript of Savemates.com business plan
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
S A V E M A T E S
Build savings, make money. With help from your mates.
1
S A V E M A T E S
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
CONTENTS• Overview
• Market definition
• Background to savings clubs
• Demo
• Our product - Savemates clubs
• The business vision - Positive personal finance
• Marketing plan
• Competitors
• Team
• Financial projections
2
Appendix:
• Company Structure
• Governance - important processes
• User Experience Flow
• User Experience - Handling Defaults
• Anti-Money Laundering and Fraud Prevention Strategies
• Security and Technology Platform Overview
• Technical Architecture Overview
• Pay-in Process / Payment Flow
• Pay-out Process / Payment Flow
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
OVERVIEW
• Savemates is a peer to peer savings and loan service.
We enable groups of trusted friends to create and
manage ongoing monthly savings clubs that ensure
saving through shared social commitment.
• We think of it as ‘weightwatchers for savings’
• We aim to build Savemates into a large, defendable
consumer finance brand - the consumer champion at
the heart of the P2P finance revolution.
3
• Users pay in a pre-agreed monthly amount to
their Savemates club. Once everyone has paid
in at the start of the month, one member of the
club gets the total balance paid out to them. This
is repeated until everyone has had a payout.
• Payouts can be transferred to your bank
account, or used to take advantage of one of our
P2P Savings deals, typically earning 5%
interest.
WHAT IS SAVEMATES? HOW DOES IT WORK?
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
CONSUMER FINANCE LANDSCAPE
The consumer finance market in the UK is
completely broken. Relationship between
the big banks and their customers is
characterized by mistrust and hatred.
Customers are routinely mis-sold overly
complex products that get them into further
financial trouble - while bosses and bankers
get ever bigger bonuses and public bailouts.
4
TOTAL PPI MIS-SELLING COMPENSATION PAYOUTS TO
JANUARY 2013 (FURTHER £4BN EARMARKED SO FAR)
Source - FSA
£8.9BNOF CUSTOMERS DON’T TRUST
BANKERS TO ACT IN THEIR INTEREST
Source - Which? consumer survey 2012
89%
£2.8BNTOTAL FINES PAID BY HSBC IN 2012 FOR MIS-SELLING,
MONEY LAUNDERING AND TERRORIST FINANCING
Source - BBC
HSBCMOST VALUABLE BANKING BRAND
Source - WPP Brandz survey 2012
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
CONSUMER FINANCE LANDSCAPE
To combat fear and uncertainty saving is on the rise . . . and P2P lending firms are growing off the back of it
5
AVERAGE MONTHLY INCOME SAVED Q4
2102 (HIGHEST ON RECORD)
Source - NS&I 2013 survey
8.09%
TOTAL HOUSEHOLD SAVINGS 2012
Source - NS&I 2013 survey
£80Bn
2012 GROWTH IN UK DEPOSITS
Source - Mintel
5%0
300
600
900
2006 2007 2008 2009 2010 2011 2012
TOTAL P2P LOANS FROM U.S STARTUPS ‘LENDING CLUB’ AND ‘PROSPER’
Source - Techcrunch
£12.3BnPREDICTED SIZE OF BUSINESS P2P LENDING MARKET
Source - NESTA report, 2013
AVERAGE MONTHLY SAVINGS AMOUNT
Source - NS&I 2013 SURVEY
£111TYPICAL RETURN FOR ZOPA LENDERS
Source - Zopa
5%
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
LOCAL NAMES FOR ROSCAS
BACKGROUND TO SAVINGS CLUBS
• Savemates is based on an existing concept called a Rotating Savings
and Credit Association (ROSCA).
• ROSCAs are used all over the world, generally by poorer communities
to build savings and financial independence. They have a huge variety
of names - See box
• Indeed, ROSCAs are generally the first step that money based societies
take towards to banking. After ROSCAs comes Credit Unions
(essentially ROSCAs with asymmetric payouts and interest on loans)
6
“Tontine, Tibissiligbi, Pari, Song-taaba, Chilemba, Stockfair, Kutu, Kootu, Kongsi, Tontine, Hui, Main, Kut Kutunderrera, Throw a box, Boxi money, Syndicate, Tanda, Chit Funds, Cheetu, Khatta, Sanduk, Sandook Box, Savemates”
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
SAVEMATES
“Weightwatchers for saving”
7
Build savings, make money.
With help from your mates.
ELEVATOR PITCH:
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
DEMO
8
www.savemates.comPLEASE VISIT:
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
WHY USE SAVEMATES TO SAVE?
SAVING IS HARD.
SAVEMATES IS EASY.
The temptation is always to skip a
payment or use debt to bridge
income gaps.
Savemates helps overcome this
through a shared commitment,
and everything is automagic.
9
SAVING IS BORING.
SAVEMATES IS FUN.
Compared to spending, saving is
dull as ditchwater.
Savemates helps overcome this by
providing fun and engaging social
savings models including vote,
shuffle and bid.
SAVING IS POOR VALUE.
SAVEMATES MAKES YOU MONEY.
Current UK short term savings
accounts will earn you around 1%
interest - and that’s if you managed to
actually save something.
Our Savemates P2P savings deals can
earn you 5%+ on your pay-out.
1 2 3
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
THE SAVEMATES PRODUCTS
10
‘TURN’.
GREAT FOR FAMILIES
The simplest Savemates
group. Payouts are
ordered by the group
creator.
Fee: 1% on payouts
‘VOTE’.
GREAT FOR COMMUNITY GROUPS
A fun voting mechanic lets
members pitch each other
why they should get the
payout this month
Fee: 1% on payouts
‘SHUFFLE’.
GREAT FOR WORK COLLEAGUES
Payout order is random,
creating a fun shared event
on pay day - but eventually
everyone wins.
Fee: 1% on payouts
‘BID’.
GREAT FOR SMALL BUSINESSES
A more complex product.
Members bid (high or low)
in a monthly auction to
determine payout order.
Fee: 20% on rollover
1 2
43 ?
??
?
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
THE VISION: POSITIVE PERSONAL FINANCE
• At the heart of the Savemates business lies a simple but powerful
mission - to make money a positive force in our customers lives.
• Savemates customers save together with people they trust and love
who help them reach their goals
• By building their savings can take control of their financial lives, and
reduce their reliance on debt.
• If they choose to make money from their savings through our P2P
savings offers they’re then lending to real people and small
businesses,
11
• We will build the next great internet personal
finance brand.
• Savemates will be the consumer brand of choice at
the heart of the P2P finance revolution, putting
individuals and the people they love in control of
their financial lives.
• Again, ‘weightwatchers for savings’ is a valuable
touchpoint - most the weight loss industry is
characterized as dodgy and suspect claims. In
contrast weightwatchers is a true community, with
a proven weight loss method - and its fun!
OUR BRAND
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
MARKETING PLAN
Primary segments
• Families
• Colleagues
Secondary segments
• Existing cash ROSCA operators
• Community groups
Channels
• Direct PR
• Content marketing via Savemates brand
• Digital advertising - Google Adwords and Facebook
• Partner marketing - working with trusted partners
12
• Savemates marketing will mainly be done by our primary
users asking their friends and families to join the groups
they have created.
• We will therefore focus our direct marketing efforts on
influencing these primary users, who we believe to be
influencers themselves.
• We will also develop the Savemates brand as the voice of
the consumer in the P2P finance landscape - offering
content and support for savers and people looking to get
back in control of their money.
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
COMPETITOR ANALYSIS
13
Option: Save into a standard saving account Option: Unsecured personal loan Option: Join an existing ROSCAs
Players Big Finance - HSBC, Lloyds, HBOS, Barclays etc Big Finance - HSBC, Lloyds, HBOS, Barclays etcDirect lenders - Credit card co’s - First Capital, Virgin, Barclaycard etc
Various - community level initiatives
Strengths Trusted brands (debatable!)Convenient for existing customers
Brand (debatable!)Ease of accessGet your money tomorrow
Already established
Weaknesses No motivation to ensure savingComplex product portfoliosVery poor interest ratesGeneral consumer hatred
High interest ratesComplex product portfoliosGeneral consumer hatred
Organisational and business models not equipped for scaleCash systems unattractive to busy people
Our advantage Get money quicker (for most users)Results - you will save + its funBetter rates if P2P saving offer taken upNon-Toxic Brand
Low interest rates - essentially free Non-Toxic Brand
ScaleBrandTechnology / Security
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
TEAM
14
STEF LEWANDOWSKI
Stef is a Director of Savemates
Ltd. and our CTO.
Stef is an experienced software
engineer and technical
architect.
He was previously co-founder
and CTO of Aframe.com, a VC
backed professional video
startup. Prior to this he founded
and ran a digital agency.
NICK MARSH
Nick is a Director of Savemates
Ltd. and our CEO and CCO.
Nick is an experienced digital
product designer and
entrepreneur.
He was previously Managing
Director of Sidekick Studios, a
London based innovation agency,
and has designed products and
services for Aviva and Barclays.
DANIEL MC ALEESE
Daniel is Savemates Skilled Person and Compliance Advisor. He
supports Nick with Savemate’s Compliance monitoring and AML
and Fraud prevention activity. Daniel is an ex-regulator, and now
supports several financial services companies with compliance
issues through his company Robinson Mack Ltd.
MARTIN CAMPBELL
Martin is Savemates marketing advisor. Previously he was head
of media at Zopa Ltd. Before that he designed financial products
for Virgin Direct and Aviva.
SIMON DEANE-JOHNS
Simon is Savemates general counsel. Previously he was chief
legal advisor to Zopa Ltd and now advises several UK based
financial services startups including Savemates.
PAUL BIRCH
Paul is a Director of
Savemates Ltd. and our angel
investor.
Paul is an active angel investor
based in London and sits on
the boards of several high
growth technology businesses.
He was previously co-founder
of Bebo.com which sold to
AOL in 2008 for $850M.
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
HOW WE MAKE MONEY
• There are four revenue streams in the Savemates business.
• Fees. We charge 1% on all payouts for our simple products.
• Partner fees. We earn commission for referring customers to savings
products and other deals when they collect their payout.
• Data sales. We have unique data about our customers, including who
they trust to advise them about money, when they have money to spend
etc.
15
• Average group saves £1000 per month
• 20% monthly growth rate in group numbers
(softening after first year)
• 5% of payouts convert to partner product,
earning 10% commission.
• Data sales income not included
ASSUMPTIONS USED TO BUILD OUR
PROJECTIONS
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
PROJECTIONS
16
Year 1 Year 2 Year 3 Year 4 Year 5
Total groups 1392 15,524 74,884 188,600 352,616
Total balance £1.39M £15.52M £74.88M* £188.6M £352.6M
Income(1) £80, 271 £1,270,166 £8,064,677 £25,338,859 £51,688,819
Fixed costs(2) £148,625 £80,221 £509,348 £1,600,349 £3,264,557
Gross Profit -£68,354 £1,189,945 £7,555,329 £23,738,510 £48,424,262
Overheads(3) £211,000 £480,000 £1,500,000 £2,880,000 £3,240,000
Net profit -£279,354 £709,945 £6,055,329 £20,858,510 £45,184,262
Assumptions: Referral income generated from Y1,Q3. Transaction fee reduced to 0.1% Y1,Q4. International expansion end of Y3. * = 1% UK market
(1) Commission fee @1%, Referral fees @ 10% on 5% of payouts / (2) Transaction fees @ 2,9% for first 6M, then 0.1% / (3) Salaries, marketing, development
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
APPENDIX
17
1. Company Structure
2. Governance - Important processes
3. User Experience Flow
4. User Experience - Handling Defaults
5. Anti-Money Laundering and Fraud Prevention Strategies
6. Risk management and Compliance
7. Security and Technology System Overview
8. Technical Architecture Overview
9. Pay-in Process / Payment Flow
10.Pay-out Process / Payment Flow
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
COMPANY STRUCTURE
18
Board of DirectorsNicholas Marsh, Stef Lewandowski, Paul Birch
Chief Compliance
OfficerNicholas Marsh
Chief Technology
Officer Stef Lewandowski
Developers
Chief Executive
Officer Nicholas Marsh
Advisory CommitteeMartin Campbell, Simon Deane-
Johns
Marketers
Skilled Person / Compliance
AdvisorDaniel Mc Aleese
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
GOVERNANCE - IMPORTANT PROCESSES
19
Software development processes.
Savemates is a digital business, and our customers access our
service exclusively through our website. That’s why we take
our software development processes very seriously.
We use a mixture of best practice Agile and Scrum project
management methods. The team has daily standup meetings
to raise issues, and every two weeks we review progress as a
whole group (‘sprint review) and decide on which features to
develop next (sprint planning).
We version our software using Git, so all commits are fully
auditable and connected to individual developers GitHub
accounts. No developers have access to production data, and
all changes to the transaction manager must be personally
authorized by the CTO and CCO.
More information:
http://en.wikipedia.org/wiki/Agile_software_development
http://en.wikipedia.org/wiki/Scrum_(development)
http://en.wikipedia.org/wiki/Git_(software)
OTHER
DOCUMENTS
For more details on our internal
processes and governance model please
refer to the following documents:
• Savemates HR manual
• Savemates Compliance Manual
• Savemates software
development internal wiki
Hiring and HR processes.
Our entire engineering team is based in the UK. We
request personal information from all our permanent
staff and contractors and conduct background checks
and request references before they join our team.
We have clear disciplinary procedures in pace in the
event of misconduct which are outlined in our HR
manual, which is required reading for all Savemates
developers and employees.
Compliance processes.
Alongside our software development processes, which
involve our CCO, we also have the following compliance
processes in place:
• Daily payments reconciliation and review
• A monthly compliance meeting with all senior
marketing and engineering staff and our skilled person
• All permanent staff are given Anti-Money-Laundering
training
• Any changes to the transaction manager authorized by
CCO and CTO.
Much more additional information can be found in our
Compliance Manual, which is required reading for all
Savemates developers and employees.
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
USER EXPERIENCE - OVERVIEW
20
Joining as a first user and creating a group
• First time users join Savemates by clicking the ‘create
group’ button on savemates.com.
• They are then prompted to enter account information
(name, email, profile photo, password) which creates a
user account and allows them to create a group.
• They then choose the type of group (turn based or
shuffle)
• They then specify the pay-in amount for the group
and the number of members
• They then add the people they want to join the group
by providing a name, email and profile photo
• They then customize the invite for the people they
want to join the group
• Finally, to create the group and send their invite they
add their debit card details for the pay-in, their bank
account details for the pay-out and their address.
• At this point the Savemates risk management
application checks their details, and if they have a low
risk score their group is created and invitations sent
Paying-in
• When the pay-in date is reached the Group Manager
Application asks the Transaction Manager Application to
debit the cards of all group members with the correct
amounts
• This is then passed on to our payment gateway Stripe, who
process the transaction and deposit the funds into our
client money account
• If the transaction is successful the user gets an email
notification.
• If it is unsuccessful our default process begins (see page
23)
Paying out
• When the pay-out date is reached the user receiving the
pay-out gets an email notification with a link to the pay-out
page
• On the page they click a button that says ‘get pay-out’
• We will then manually transfer the funds from our client
money account to their bank account within 24 hours
MORE DETAIL
Please see the following slides
for more detail, or review the
process yourself at
savemates.com
• Visual description of UX -
page 22
• How we handle defaults -
page 23 / 24‘
• Our AML process - page
24
• Technical process for pay-
in - page 30/31
• Technical process for pay-
out - page 32/33
Joining as an invited user
• Invited users get an email with a link to the
group page
• On the page they can then see the amounts
and who else has been invited
• They click join, and then add their debit card
details for the pay-in, their bank account
details for the pay-out and their address.
• At this point the Savemates risk
management application checks their details,
and if they have a low risk score they join the
group
Activating a group
• When enough approved users have joined
the group the first user receives an email
asking them to activate the group
• On the page they can click ‘activate’
• This then sends emails to all group members
and begins the first pay-in process.
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
USER EXPERIENCE - FLOW
21
Create account -
name, email, address, debit
card, bank details
Invite friends
Get invite
Create account -
name, email, address, debit
card, bank details
Activate group
Pay-in via Debit card or Direct Debit
Pay-out via bank
transfer or Direct Debit
Email Notification
EmailNotification
EmailNotification
Visit page to get payout
Create group
EmailNotification
Create group and join Activate Pay-in Pay-out
Group Admin
Standard User
System AML / Fraud check
AML / Fraud check
ID request (in some
cases)
Get pay-out
Internal check - Risk ScoreExternal check - Credit check, Sanctions list
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
USER EXPERIENCE - HANDLING DEFAULTS
22
We expect the default rate to be very low for several reasons:
• Trust between group members. Customers cannot join groups with people they don’t
know, and equally they cannot invite members they don’t know. This means that all group
members should know what they are getting into, and our messaging will be very clear that
they should not join groups they cannot afford.
• Social pressure. The whole Savemates concept relies on social pressure from people you
know and love to ensure that saving is prioritised!
• Forgiveness. However, because group members know each other, if there is a legitimate
reason for the default (say, loosing a job) the group members will forgive the default, as
they understand the personal circumstances.
When a user does default we will first notify the user, and try and re-debit the account after
72 hours. If this second attempt fails we will notify the group of the late payment. After 72
hours we will try and debit again. If this fails, we will eject the user, blacklist their account and
send the remaining group members a message with their options (see box).
Once a user has been ejected from a group and their account blacklisted Savemates
simply reduces the number of members in the group by one, and the pay-out amount
goes down by the value of one users pay-in. At this point we send each member of
the group an email with a message outlining their options.
• If the defaulting user has not had a payout and the user we are emailing has
not had a payout. We send a message that explains how much their pay-out
amount will be reduced by.
• If the defaulting user has had not a payout and the user we are emailing has
had a payout. We send a message that explains how much they should pay back
to the defaulting user if they so wish.
• If the defaulting user has had a payout and the user we are emailing has not
had a payout. We send a message that explains how much their pay-out amount
will be reduced by, and how much they should request from the defaulting user if
they so wish.
• If the defaulting user has had a payout and the user we are emailing has
had a payout. We send a message that explains how much everyone elses pay-
out amount will be reduced by.
DEFAULT MESSAGING / OPTIONS
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
USER EXPERIENCE FLOW - DEFAULTS
23
User contacted via email
Group contacted via email
Debit failsDebit
attemptedDebit
attemptedDebit fails
Debit attempted
Debit fails User removed
from group and
blacklisted
72 hours 72 hours
Individual members sent email with
optionsUser
System
Group pay-out reduced
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
ANTI-MONEY LAUNDERING AND FRAUD PREVENTION STRATEGIES
24
To prevent Savemates being used for fraudulent activity we have the following controls in place:
• Automatic checking of all accounts against HM Treasury sanctions list
• Separate Risk Management Application reviews each new user and new group and monitors activity for non-standard behavior using a proprietary algorithm which assigns a
risk score to each user and group. Example factors we monitor include users joining multiple groups with the same debit card, new groups with high pay-in and pay-out
amounts, groups with suspicious social profile data, etc. This algorithm is continually refined, and actively developed by our engineers and CCO.
• In the event of an edge case being detected by the Risk Management Application we request a scan of UK passport which is reviewed manually before before we payout
• Pay-in limited to £250 per month per user per group
• Groups limited to 10 members, thus limiting monthly payout to £2500 maximum
• Average 30 days delay from pay-in to pay-out (funds held in Client Monies Account)
• Users cannot sign up without a UK debit card and its registered UK address
• Users can only receive pay-outs into UK bank accounts
• We keep complete, encrypted records of every user interaction and transaction with the system
• Our CCO works closely with our CTO to actively update our AML and fraud prevention strategies
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
RISK MANAGEMENT AND COMPLIANCE
25
Risk: Loss/change of clearing bank
• Response: Our service oriented architecture makes it easy for us to
change providers
Risk: Loss of top clients
• Response: While Savemates may lose some important clients at any
time, it is Savemates strategy to gather a large number of clients so that
its revenue generation is evenly spread out, whereby it will not be
materially reliant on a small number of clients for the majority of its
income and thus being adversely affected should it lose some clients.
Risk: Managing Client Risk
• Response: As we will not be giving clients any investment advice, the
clients will need to effectively manage their own risk.
Risk: Counter-Party Risk
• Response: There is no transactional counter-party risk as Savemates is
just providing the online faclity.
Risk: Credit Risk
• Response:There is no credit risk as no credit or financing will be offered
by Savemates. All clients will need to have cleared funds on deposit.
Risk: Liquidity risk
• Response: With minimum overheads, the firm will have little liquidity
risk should revenues decrease substantially
Risk: Operational Risk
• Response: As all services are provided online and bank accounts are
held separately, there is minimum operational risk save for I.T problems
(see disaster recovery plan)
Risk: Key Person Risk
• Response: As Savemates will be providing online services only, clients
can continue to trade should anything happen to key individuals at
Savemates. Savemates will endeavour to replace any key staff as quickly
as possible.
Risk: Systems Risk/Disaster Recovery Plan
• Response: The business can operate from any location providing there
is secure internet access and access to printing facilities. Savemates has
produced a disaster recovery plan.
Risk: Compliance Risk
• Response: Savemates will ensure full compliance with the rules and
regulations of the appropriate regulatory authorities. Savemates has
retained the services of Robinson Mack Ltd; regulatory consultants, to
advise on all regulatory issues and provide training on an ongoing basis.
Risk: Conflict of Interest
• Response: Savemates does not envisage any potential conflicts with its
clients. Employees of Savemates may open a Savemates account but no
conflict arise that may disadvantage other clients in any way.
Notwithstanding the above, Savemates has an independence policy of
disclosing any material conflicts of interest to clients and any other third
party.
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
SECURITY AND TECHNOLOGY SYSTEM OVERVIEW - 3RD PARTY SERVICES
26
Heroku.com
Savemates applications are hosted on the Heroku web
platform. Heroku is a cloud application platform owned by
salesforce.com
The Heroku platform inherently protects customers from
threats by applying security controls at every layer from
physical to application, isolating customer applications and
data, and with its ability to rapidly deploy security updates
without customer interaction or service interruption.
Stripe.com
Savemates uses Stripe.com to process debit card
transactions.
Stripe uses a form of tokenized encryption and embedded
forms that means Savemates never stores or handles
actual debit card data. Stripe is a certified PCI Level 1
service provider with US and UK operations.
FURTHER READING
For more information on AWS security
please visit:
https://aws.amazon.com/security
For more information on Heroku
security please visit:
https://policy.heroku.com/security
For more information on Stripe security
please visit:
https://stripe.com/help/security
Amazon Web Services
Heroku is built on Amazon Web Services (AWS) EU
based infrastructure.
AWS data centre operations have been accredited
under:
• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously
SAS 70 Type II)
• PCI Level 1
• ISMA Moderate
DISASTER RECOVERY PROCEDURE
We use the above web-scale services for a reason. The Platform as a Service architectures used by AWS and Heroku means that we cannot experience an unrecoverable
disaster, with the exception of a simultaneous total physical attack on both availability zones of AWS EU data centers, which are in two different locations within Europe. With
that exception excluded, we will always have complete records in our databases of every transaction and group stored on the AWS / Heroku infrastructure, and we keep a full
version history of every commit/ change to the application on Github.com (a $100M backed version control system) which also runs on AWS infrastructure.
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
SECURITY AND TECHNOLOGY SYSTEM OVERVIEW
27
The Savemates system architecture pattern conforms to industry best practice of Service Oriented Architecture and clear
separation of concerns and data. See the following slide for a technical architecture diagram.
Our system has the following characteristics:
• We conform to PCI design principles
• We use only a small number of well managed 3rd party services (see previous slide)
• We conduct regular penetration testing of our application by third party services
• We operate a need to know information policy, with only our CTO and CCO having access to production data via SSH keys
provided by Heroku and admin interfaces via secure passwords and white listed IPs
• All data is securely transmitted over SSL
• All data in transaction manager database encrypted with AES 256Bit encryption
• We keep full, encrypted records of every transaction, including full transaction history, and logs of all actions during admin user
session against admin accounts for five years.
• We only use simulation data on staging and development services and there is no developer access to production database
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
TECHNICAL ARCHITECTURE OVERVIEW
28
Group ManagerApplication
Transaction ManagerApplication
Sales website
• Groups and payment
schedules
• Basic user info/ID,
group membership
• Stripe Tokens
• Pay-out bank account details
• Audit-able transaction history of
all pay-ins and pay-outs
Token
auth.
over SSL
Encrypted
Version 1 - First
6-12 monthsUser bank
account
Savemates Client Monies
Account
Savemates online
banking
£SSLSSL
AdminApp
User debit card
Stripe
£
Pay-in
Pay-outToken auth.
over SSL
Token
auth. over
SSL
ManualRiskApp
SSL
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
TECHNICAL ARCHITECTURE OVERVIEW
29
Version 2 - 6 months +
(requires bank API access)
User bank account
Savemates Client Monies
Account
Bank API /
Direct Debits
Unknown?
£Group Manager
ApplicationTransaction Manager
ApplicationSales
website
• Groups and payment
schedules
• Basic user info/ID,
group membership
• Stripe Tokens
• Pay-out bank account details
• Audit-able transaction history of
all pay-ins and pay-outs
Token
auth.
over SSL
Encrypted
SSLSSL
RiskApp
SSL
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
PAY IN PROCESS / PAYMENT FLOW
30
User debit card
Savemates Client Monies
Account
Savemates
user IDs +
amounts
Group ManagerApplication
Transaction ManagerApplication
Stripe £
Transaction
status
Version 1 - First 6-12 months
Debit
card
charge
Stripe user
tokens
+ amounts
Transaction
status
Token
auth.
over SSL
Token
auth. over
SSL
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
PAY IN PROCESS / PAYMENT FLOW
31
User bank account
Savemates Client Monies
Account
Group ManagerApplication
Transaction ManagerApplication
Bank API
£ChargeDirect Debit
Charge
Version 2 - 6 months + (requires bank API access)
Savemates
user IDs +
amounts
Transaction
status
Transaction
status
Token
auth.
over SSL
Unknown
auth?
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
Online banking for Savemates Client Monies Account
PAY OUT PROCESS / PAYMENT FLOW
32
User bank account
Group ManagerApplication
Transaction ManagerApplication
£
AdminApp
Version 1 - First 6-12 months
Savemates
user IDs +
amounts
Transaction
status
Token
auth.
over SSL
Barclays data
services
Token
auth.
over SSL
Account number,
sort code +
amount
Manual process
over SLL / bank
website
CONFIDENTIALSAVEMATES.COM BUSINESS PLAN, VERSION 1.0 PAGE
PAY OUT PROCESS / PAYMENT FLOW
33
User bank account
Savemates Client Monies
Account
Group ManagerApplication
Transaction ManagerApplication
Bank API
£
ChargeDirect Debit
Charge
Transaction
Status
Version 2 - 6 months + (requires bank API access)
Savemates
user IDs +
amounts
Token
auth.
over SSL
Transaction
status
Unknown
auth?