Security and privacy

1. Introduction & Scope

This Security Policy outlines the security measures and practices that SPLIT PAYMENTS, S.L. (referred as to “Flanks”, “we”, “our”, or “us”) has implemented to safeguard user data and maintain a secure online environment, ensuring security and privacy compliance. This policy applies to all users, administrators, and third-party service providers who interact with our wealth-tech SaaS platform and it covers all our products and services unless otherwise specified in this document.

2. Compliance & Regulatory Requirements

Flanks is committed to complying with:

• General Data Protection Regulation (GDPR) to ensure data privacy and protection.
• SOC 2 Type II standards for information security, availability, ad processing integrity. Flanks is certified as SOC 2 Type II compliant and is audited annually. Audit certifications can be provided upon request to Clients or Providers. 

3. User Access & Authentication

• Multi-Factor Authentication (MFA) is mandatory for all user accounts.
• Password Policies:
  
  • Minimum length of [e.g., 12 characters].
  • Must include a mix of uppercase and lowercase letters, numbers, and symbols.
  • Enforced periodic password changes and expiration policies.
  • Secure password reset procedures are in place.

4. Data Protection & Encryption

• All data is encrypted at rest and in transit using industry-standard encryption protocols.
• A comprehensive cryptography policy governs encryption key management.
• Regular backups are performed, and a disaster recovery plan is in place to ensure business continuity.
  

5. Hosting & Infrastructure Security

• Our infrastructure is hosted on Google Cloud, ensuring high availability and robust security.
• Security measures include firewalls, intrusion detection systems (IDS), and DDoS protection to prevent unauthorized access and attacks.

6. Software & Patch Management

• Software, plugins, and libraries are updated regularly in accordance with our Secure Development Policy.
• Vulnerability assessments and penetration testing are conducted periodically to identify and mitigate security risks.

7. Incident Response & Monitoring

• Comprehensive logging and monitoring mechanisms track system activity and detect anomalies.
• Security incidents are managed through our Incident Response Plan, which includes:
  
  • Detection, analysis, and containment of threats.
  • Notification procedures for affected users and regulatory bodies (if applicable).
  • Post-incident review and improvement actions.

8. Third-Party Risk Management

• Third-party service providers, including payment processors and analytics platforms, must comply with our Third-Party Management Policy.
• Security assessments are conducted before integrating third-party APIs and services.
• Contracts with third parties include data protection and confidentiality clauses.

9. User Responsibilities & Awareness

• Users must follow security best practices, including:
  
  • Using strong, unique passwords and enabling MFA.
  • Remaining vigilant against phishing attacks and suspicious links.
  • Reporting security concerns promptly to security@flanks.io.

10. Policy Review & Updates

• This policy shall be reviewed annually or as needed to adapt to evolving security threats and compliance requirements.

For any questions o concerns about this policy, please contact our security team at security@flanks.io. To report a security vulnerability, see our Responsible Disclosure Policy.