Customer Stories / Financial Services / Argentina
Pomelo Provides Fintech Services with a Secure, Scalable, Cost-Optimized Data Lake Built on Amazon S3
Learn how fintech Pomelo built a highly secure, scalable, cost-efficient data lake to drive innovation and business value using Amazon S3.
for consumer data
to manage access to data
while maintaining a growth trajectory
in AWS KMS costs using Amazon S3 Bucket Keys
projected savings on data storage
Pomelo builds credit card and digital account solutions that businesses can use to offer their own financial products quickly and securely. As a fast-growing fintech startup, it needed a cost-effective, scalable architecture that meets the Payment Card Industry Data Security Standard (PCI DSS) and industry standard security practices. Through its business intelligence dashboard offering, Pomelo helps its clients use financial transaction logs to review account activity to drive business insights, all while protecting customers’ information with robust security protocols.
Pomelo chose Amazon Web Services (AWS) and built a data lake using Amazon Simple Storage Service (S3), an object storage service offering industry-leading scalability, data availability, security, and performance. Pomelo uses a combination of native Amazon S3 features and other AWS services for rigorous security practices at scale, all while managing to cut costs by 95 percent for certain cryptographic operations. Pomelo’s customers use data to gain insights into their users’ transactions while maintaining best practices in security.
Founded in Argentina in April 2021, Pomelo provides fintech solutions to more than 100 enterprise clients and millions of their users in six Latin American countries. Pomelo provides its clients, such as large banks and finance firms, with ways to issue and process credit cards, offer digital accounts, and deliver fraud prevention while complying with PCI DSS.
A secure business intelligence dashboard lets Pomelo clients see their customers’ transactions and use the data to predict purchases, calculate risks, uncover anomalies, and run analyses. “When the speed of accessing data is very slow, it holds you back,” says Juan Jose Behrend, Director of Engineering at Pomelo. “And security is highly, highly important. AWS for us is really a no-brainer.”
We needed a data repository that could expand dynamically with virtually no maintenance, connect with other AWS services, and meet all our compliance requirements—Amazon S3 was a perfect match."
Juan Jose Behrend
Director of Engineering, Pomelo
The company built its architecture according to the AWS Well-Architected Framework, which provides architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems in the cloud. Pomelo used the AWS Well-Architected Framework as the foundation for its data lake on Amazon S3, gaining exceptional storage capacity with fine-tuned security controls that comply with PCI DSS. “We needed a data repository that could expand dynamically with virtually no maintenance, connect with other AWS services, and meet all our compliance requirements,” says Behrend. “Amazon S3 was a perfect match.”
Pomelo stores user information, unstructured data, and the records of billions of financial transactions in its data lake built on Amazon S3. Traffic never leaves Pomelo’s Amazon Virtual Private Cloud (VPC), where organizations define and launch their AWS resources in a logically isolated virtual network. Pomelo uses VPC endpoints for Amazon S3 for limiting access through highly reliable, secure connections. To further define the data perimeter for individual datasets, the company uses S3 bucket policies.
At the account level, Pomelo activates Amazon S3 Block Public Access, which blocks all public access across its S3 buckets with a single click. Pomelo further secures access by using the Bucket Owner Enforced setting in S3 Object Ownership, a bucket-level control that deactivates access control lists and enforces the use of access management policies. The company applies the principle of least privilege while establishing granular role-based access controls using AWS Identity and Access Management (IAM), which securely manages identities and access to AWS services and resources. Pomelo’s grant-access list uses AWS IAM role-based protocols as part of a zero-trust framework. “What I really love about AWS is that you can customize everything,” says Behrend. For further oversight, Pomelo obtains detailed records for all requests made to S3 buckets by implementing S3 server access logging, which provides detailed records for requests and helps customers gain insights into access patterns.
For encryption, Pomelo secures Amazon S3 objects using server-side encryption with AWS Key Management Service (AWS KMS) customer-managed keys (SSE-KMS), which lets organizations create, manage, and control cryptographic keys across applications and AWS services. “We knew we wanted to encrypt our systems with a key that we created and controlled,” says Kevin Santos, data engineer at Pomelo. But as a growing startup, Pomelo was looking to reduce its key management costs. It worked alongside AWS solution architects to identify which objects in its data lake received the most AWS KMS requests. To do so, Pomelo used S3 Storage Lens, which delivers organization-wide visibility into object storage usage and activity trends and makes actionable recommendations to optimize costs and apply data protection best practices. Using S3 Storage Lens, Pomelo learned that S3 was making a call to AWS KMS every time an application needed to access an encrypted object. This was generating two billion AWS KMS requests per month.
To limit the number of AWS KMS requests and reduce costs, Pomelo implemented Amazon S3 Bucket Keys, which use a bucket-level key from AWS KMS to decrease the request traffic from S3 to AWS KMS. The bucket-level key creates data keys to encrypt new objects during its lifecycle. As a result, Pomelo reduced the traffic from S3 to AWS KMS and cut its costs for server-side encryption using AWS KMS by 95 percent.
With the aim of continuing to improve cost-efficiency, Pomelo uses the Amazon S3 Glacier Flexible Retrieval storage class, the ideal storage class for enterprises looking to archive data that does not require immediate access while retaining flexibility to retrieve large sets of data at no cost. “The flexibility of S3 Glacier retrieval options allows us to balance cost-efficiency with data retrieval times,” says Behrend. Using S3 Lifecycle, the company configures a set of lifecycle rules that automatically transitions its objects to the low-cost S3 Glacier Flexible Retrieval storage class after a designated period of time. Pomelo estimates that it will achieve long-term savings of 40–50 percent on data storage by using Amazon S3 Lifecycle to transition cold data to the S3 Glacier Flexible Retrieval storage class.
With sustained cost savings, Pomelo can invest in attracting and retaining clients through the development of new features. The company is also shifting its focus to building efficiencies into its solutions.
Even as Pomelo maintains its growth trajectory, it prioritizes strict PCI DSS compliance and data security requirements in the countries where it operates. “We are using AWS tools to develop our services, bring in more clients, and securely expand into new regions,” says Behrend. “The big picture is not about the data or traffic we have today. Over the next few years, our goal is to grow exponentially.”
About Pomelo
Pomelo is a fintech company that develops digital account and credit card solutions for fintechs and companies in the process of digital transformation, helping them launch and scale financial services in Latin America in an agile and secure way.
Amazon S3
Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and performance.
AWS KMS
AWS Key Management Service (AWS KMS) lets you create, manage, and control cryptographic keys across your applications and AWS services.
Learn more »
Amazon S3 Bucket Keys
Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS). Using a bucket-level key for SSE-KMS can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS.
AWS Identity and Access Management
With AWS Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.
Get Started
Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.