Security and privacy

1. Introduction & Scope

This Security Policy outlines the security measures and practices that SPLIT PAYMENTS, S.L. (referred as to “Flanks”, “we”, “our”, or “us”) has implemented to safeguard user data and maintain a secure online environment, ensuring security and privacy compliance. This policy applies to all users, administrators, and third-party service providers who interact with our wealth-tech SaaS platform and it covers all our products and services unless otherwise specified in this document.

2. Compliance & Regulatory Requirements

Flanks is committed to complying with:

• General Data Protection Regulation (GDPR) to ensure data privacy and protection.
• SOC 2 Type II standards for information security, availability, ad processing integrity. Flanks is certified as SOC 2 Type II compliant and is audited annually. Audit certifications can be provided upon request to Clients or Providers. 

3. User Access & Authentication

• Multi-Factor Authentication (MFA) is mandatory for all user accounts.
• Password Policies:
  
  • Minimum length of [e.g., 12 characters].
  • Must include a mix of uppercase and lowercase letters, numbers, and symbols.
  • Enforced periodic password changes and expiration policies.
  • Secure password reset procedures are in place.

4. Data Protection & Encryption

• All data is encrypted at rest and in transit using industry-standard encryption protocols.
• A comprehensive cryptography policy governs encryption key management.
• Regular backups are performed, and a disaster recovery plan is in place to ensure business continuity.
  

5. Hosting & Infrastructure Security

• Our infrastructure is hosted on Google Cloud, ensuring high availability and robust security.
• Security measures include firewalls, intrusion detection systems (IDS), and DDoS protection to prevent unauthorized access and attacks.

6. Software & Patch Management

• Software, plugins, and libraries are updated regularly in accordance with our Secure Development Policy.
• Vulnerability assessments and penetration testing are conducted periodically to identify and mitigate security risks.

7. Incident Response & Monitoring

• Comprehensive logging and monitoring mechanisms track system activity and detect anomalies.
• Security incidents are managed through our Incident Response Plan, which includes:
  
  • Detection, analysis, and containment of threats.
  • Notification procedures for affected users and regulatory bodies (if applicable).
  • Post-incident review and improvement actions.

8. Third-Party Risk Management

• Third-party service providers, including payment processors and analytics platforms, must comply with our Third-Party Management Policy.
• Security assessments are conducted before integrating third-party APIs and services.
• Contracts with third parties include data protection and confidentiality clauses.

9. User Responsibilities & Awareness

• Users must follow security best practices, including:
  
  • Using strong, unique passwords and enabling MFA.
  • Remaining vigilant against phishing attacks and suspicious links.
  • Reporting security concerns promptly to security@flanks.io.

10. Policy Review & Updates

• This policy shall be reviewed annually or as needed to adapt to evolving security threats and compliance requirements.

For any questions or concerns about this policy, please contact our security team at security@flanks.io