Security Policy

At ZuriPay, we take security very seriously. We understand that we're entrusted with sensitive financial information, and we employ industry-leading security practices to protect your data and transactions.

Our security program is built on a comprehensive approach that includes technical safeguards, rigorous compliance procedures, and regular security assessments conducted by both internal teams and independent security firms.

This Security Policy outlines the measures we take to protect your information and maintain a secure platform.

We implement multiple layers of data protection:

- **Encryption:** All sensitive data is encrypted both in transit (using TLS/SSL) and at rest using strong encryption algorithms (AES-256).

- **Tokenization:** We use tokenization for payment information, replacing sensitive card data with non-sensitive token values that cannot be reverse-engineered.

- **Data Minimization:** We only collect and retain the minimum amount of data necessary to provide our services.

- **Access Controls:** Strict access controls and authentication mechanisms ensure that only authorized personnel can access customer data on a need-to-know basis.

- **Regular Audits:** We regularly audit data access and maintain comprehensive logs of system activities.

Our infrastructure is designed with security as a priority:

- **Cloud Security:** We leverage top-tier cloud service providers with robust security certifications (SOC 2, ISO 27001, PCI DSS).

- **Network Segmentation:** Our infrastructure employs network segmentation and firewalls to isolate sensitive systems.

- **DDoS Protection:** We implement DDoS protection and traffic filtering to maintain service availability.

- **Vulnerability Management:** We continuously scan for vulnerabilities and apply security patches promptly.

- **Security Monitoring:** 24/7 monitoring of our systems for suspicious activities with automated alerts.

- **Redundancy:** Multiple layers of redundancy to ensure high availability and protect against data loss.

We maintain compliance with relevant industry standards and regulations:

- **PCI DSS Level 1:** The highest level of compliance with the Payment Card Industry Data Security Standard.

- **ISO 27001:** Certification for our information security management system.

- **GDPR Compliance:** We follow data protection principles and respect user privacy rights.

- **Local Regulatory Compliance:** We adhere to financial regulations in all jurisdictions where we operate.

- **Regular Assessments:** We undergo regular security assessments and penetration testing by independent third parties.

We maintain a comprehensive incident response plan:

- **24/7 Response Team:** Our security team is available at all times to respond to potential security incidents.

- **Documented Procedures:** Well-defined procedures for identifying, containing, eradicating, and recovering from security incidents.

- **Regular Drills:** We conduct regular incident response drills to ensure our team is prepared.

- **Communication Plan:** Clear protocols for notifying affected customers in the event of a security breach, in accordance with applicable laws and regulations.

- **Post-Incident Analysis:** After any security event, we conduct thorough analysis to prevent similar incidents in the future.

We implement strong authentication and access controls:

- **Multi-Factor Authentication (MFA):** We require MFA for all administrative access and make it available for all customer accounts.

- **Strong Password Policies:** Enforcement of strong password requirements.

- **Session Management:** Secure session handling with automatic timeouts for inactive sessions.

- **Principle of Least Privilege:** Staff members only have access to the specific data and systems necessary for their job functions.

- **Regular Access Reviews:** We conduct regular reviews of access privileges to ensure they remain appropriate.

We recommend these best practices to enhance your security when using our services:

- Enable multi-factor authentication on your ZuriPay account - Use strong, unique passwords for your account - Keep your devices and browsers updated - Be vigilant about phishing attempts – we will never ask for your password via email - Monitor your account regularly for unauthorized transactions - Use our available security features such as login notifications - Contact us immediately if you suspect any unauthorized access to your account

For more detailed security recommendations, please visit our [Security Center](https://docs.zuripay.app/security).

We appreciate the work of security researchers and the broader community in helping us maintain a secure platform. If you discover a potential security vulnerability, we encourage you to report it to us through our responsible disclosure program.

Email: security@zuripay.app

Please include detailed information about the vulnerability and steps to reproduce it. We commit to:

- Acknowledging receipt of your report within 24 hours - Providing regular updates about our progress addressing the issue - Notifying you when the vulnerability has been fixed - Recognizing your contribution (if desired) after the issue is resolved

We do not engage in legal action against individuals who submit security vulnerability reports in good faith.

If you have any questions or concerns about our security practices, please contact our security team at security@zuripay.app or our general support team at support@zuripay.app.

ZuriPay 7th Floor, Joina City Jason Moyo Avenue Harare, Zimbabwe

Phone: +263 772 123 456

Last Updated: August 15, 2023