MALENA Data and API Security FAQs - April 2024
1. What are the differences between the MALENA API offering and the MALENA Web Platform?
The MALENA Web Platform is built for Business-to-Consumer (B2C) users – individuals looking to analyze a limited number of ESG documents. The MALENA API offering is designed for Business-to Business (B2B) users - organizations seeking programmatic access to the MALENA AI to process large amounts of unstructured ESG text.
The MALENA API offers three additional capabilities compared to the B2C platform:
i) Programmatic access to the MALENA AI: enabling organizations with high document volumes to connect MALENA to their own applications through the API.
ii) Analysis of massive amounts of data: while the B2C version allows for a maximum upload of 20 files or 100 MB at one time, with a total storage of 1GB, the B2B API can process high volumes of documents (thousands) with a 40 MB limit per document.
iii) No persistent API input data storage: in contrast to the public version, the MALENA API does NOT require persistent data storage. The API input data is kept in temporary storage for the time required to perform the sentiment analysis task and immediately deleted after the API output has been produced by MALENA.
2. What API security measures have been implemented for the MALENA API?
As an IFC application, the MALENA API is built on top of the World Bank Group’s cloud infrastructure and relies on institutional security controls and systems, including identifying and managing vulnerabilities.
The MALENA API applies the Zero Trust principle to API implementation by incorporating security measures to continuously authenticate and authorize all interactions with the API, irrespective of their source or destination. The following security aspects have been considered: valid authentication and authorization, continuous monitoring of API telemetry to detect any suspicious or anomalous behavior, encryption to protect data exchanged between clients and the API, least privilege access – (limiting B2B users' access rights to only what is strictly required), API gateway integration, identity and access management for centralized user identity management, access controls and permissions, and regular updates of security controls and protocols to mitigate emerging risks and ensure compliance with industry standards and regulations.
3. For how long is API input data stored?
MALENA API input data (binary or plain text) is only kept in RAM and temporary storage for the time required to perform the sentiment analysis. Temporary storage times typically range from a few seconds to at most 10 minutes.
4. What data security measures are used to protect API input data?
API input data are encrypted using symmetrical encryption, with the API key only stored in volatile memory. All API input data is purged from MALENA temporary storage after completion of the sentiment analysis task.
5. Does IFC use API input data to train its AI models?
MALENA API input data is NOT used to train IFC AI models.
6. Are there any service guarantees or verification of the API input and output data?
There are no service guarantees or audits of API input and output data. Please see the MALENA API Terms of Use, available HERE for more details. The MALENA API Terms of Use are separate from these FAQs, and (unlike these FAQs, which are non-binding and not enforceable against IFC) form a part of the contractual agreement you sign up to when you subscribe to and use any MALENA API endpoints.
7. Does MALENA API have the capability to recover data in the case of failure or data loss during an API request?
There is no guarantee regarding the capability to recover data in the case of a failure or data loss during an API request. Please see the MALENA API Terms of Use, available HERE for more details. The MALENA API Terms of Use are separate from these FAQs, and (unlike these FAQs, which are non-binding and not enforceable against IFC) form a part of the contractual agreement you sign up to when you subscribe to and use any MALENA API endpoints.
8. Does IFC use subcontractors or third-party service providers for software development in relation to MALENA?
The MALENA API and MALENA Web Platform are IFC applications that have been developed with the support of strategic WBG selected vendors. MALENA follows WBG Procurement Policies and Procedures including the mandatory use of pre-selected third-party vendors for substantial/key tasks.
WBG follows industry-recognized vendor risk management practices. External service providers and contractors are subject to contractual obligations related to cybersecurity, business continuity and data privacy. They are also provided with information regarding applicable WBG policies and procedures that need to be followed, including data incident notification requirements/protocols where appropriate. External service provider engagements are risk-assessed, monitored for performance, and periodically reviewed for compliance with contractual obligations subject to and based on the risk profile.
9. Who can I contact if I have concerns about information security when using the MALENA API?
Inquiries and notifications related to information security should be sent via email to the World Bank Office of Information Security at infosec@worldbank.org referencing MALENA API in the subject line.
In the event that your API authentication key is compromised, you can generate a new key, thereby deactivating the old key within your MALENA API portal account settings.
.png)
.png)
.png)
.png)
