Security statement

This Security statement applies to all Banqup Group products, services and its affiliates, except where otherwise noted. This Security Statement also forms part of the user agreements for Banqup Group customers. Banqup Group values the trust of its customers by letting the organization act as custodians of their data.

Banqup Group takes its responsibility to protect and secure its customers' information seriously and strives for complete transparency around its security practices detailed below.

General

Physical security

Banqup information systems and technical infrastructure are hosted within world-class, SOC 2 accredited data centers. Physical security controls at these data centers include 24x7 monitoring, cameras, visitor logs, entry limitations, and all that one would expect at a high-security data processing facility.

Access control

Access to Banqup technology resources is only permitted through secure connectivity (e.g. VPN, SSH) and requires multi-factor authentication. Banqup production password policy requires complexity, expiration, lockout and disallows reuse. Banqup grants access on a need to know basis of least privilege rules, reviews permissions quarterly and revokes access immediately after employee termination.

Security policies

Banqup maintains and periodically reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training pertaining to job function. Training is designed to adhere to all specifications and regulations applicable to Banqup.

Personnel

Banqup conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, Banqup communicates its information security policies to all personnel (who must acknowledge this) and requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training.

Dedicated security personnel

Banqup has a dedicated privacy-and security organisation, which focuses on application, cloud, network and system security. This team is also responsible for security compliance, education and incident response.

Vulnerability management and penetration tests

Banqup maintains a documented vulnerability management program which includes periodic scans, identification and remediation of security vulnerabilities on servers, workstations, network equipment and applications. All networks, including test-and production environments, are regularly scanned using trusted third party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches. Banqup also conducts regular internal-and external penetration tests and remediates according to severity for any results found.

Encryption

Banqup encrypts all data at rest in the data centers and all in motion using the Banqup cryptographic standard that is reviewed yearly.

Development

Banqup development team employs secure coding techniques and best practices, focused around the OWASP Top Ten. Developers are formally trained in secure web application development practices upon hire and annually. Development, testing and production environments are separated. All changes are peer reviewed and logged for performance, audit and forensic purposes prior to deployment into the production environment.

Asset management

Banqup maintains an asset management policy which includes identification, classification, retention and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access production networks.

Incident management

Banqup maintains a security incident response process that covers the initial response, investigation, customer notification (no less than as required by applicable law), public communication, prudential reporting and remediation.

Breach notification

Despite best efforts, no method of transmission over the internet and no method of electronic storage is perfectly secure. As any other organisation, Banqup cannot guarantee absolute security. However, if Banqup takes knowledge of a security breach, Banqup will notify affected users so that they can take appropriate protective steps. Banqup breach notification procedures are consistent with the obligations under applicable country laws and regulations, as well as any industry rules or standards applicable to Banqup and its affiliates. Banqup is committed to keeping its customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.

Business continuity management

Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity. Banqup employs a backup strategy to ensure minimum downtime and data loss.

Your responsibility

Keeping your data secure also requires that you maintain the security of your account by using sufficiently complex passwords and storing them safely. You should also be aware of your context and environment and operate in a secure way of working. Lastly you should ensure that you have sufficient security on your own systems.

Logging and monitoring

Application-and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews and analysis by authorized Banqup personnel. Logs are preserved in accordance with regulatory requirements. Banqup will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account.

Compliance

Banqup Group has implemented an Information Security Management System (ISMS), governance, risk management and compliance practices, which align with current information security frameworks and best practices. Our ISMS is ISO 27001 certified. In addition, Banqup payment products carry the Payment Card Industry’s Data Security Standards (PCI DSS 3.2).

Fraud

Banqup Payments makes use of rule-based and AI empowered detection systems to protect customers transactions against financial crime. These detection systems are continuously reviewed to adapt to changing threats, leading to a lower fraud rate for Banqup customers and their customers.

Multi factor authentication

Banqup Payments uses the 3D Secure (3DS) protocol to add an extra layer of protection to online electronic payments. This reduces the risk of unauthorised transactions and charge-backs. With 3DS enabled, customers have two-factor authentication on payments, i.e. payments won’t go through unless the customer authorises them.