Information Security Policy
Last updated: 1 May 2026
This policy summarises PayBitt’s security controls in customer-facing language. It complements our ISO 27001 alignment statement and internal runbooks. Report vulnerabilities to security@paybitt.com.
1. Objectives
Maintain the confidentiality, integrity, and availability of PayBitt systems and data; protect against fraud and abuse; and support safe operation of payment-related workflows in partnership with licensed financial institutions.
2. Asset management & classification
Information assets (source code, credentials, databases, logs, backups, customer support artefacts) are classified by sensitivity. Handling rules (storage location, encryption, retention) map to classification. Customer personal data is treated as high sensitivity.
3. Access control
- Least-privilege and role-based access to production and administrative systems.
- Multi-factor authentication for administrative and privileged accounts where supported.
- Periodic access reviews and prompt revocation on role change or offboarding.
- No shared production credentials for individual humans; secrets managed via secure stores.
4. Secure development & change management
Changes pass through version control, code review, and automated checks where implemented. Production deployments follow approved release channels. Security-sensitive changes receive additional scrutiny.
5. Cryptography & data in transit
External interfaces use modern TLS configurations. Sensitive fields are protected at rest using platform-appropriate encryption or tokenisation aligned with vendor and regulatory expectations.
6. Logging & monitoring
We collect security-relevant logs (authentication events, administrative actions, application errors) proportionate to investigatory needs. Monitoring is used to detect anomalies and support incident response.
7. Vulnerability & patch management
Dependencies and infrastructure are reviewed for known vulnerabilities; critical patches are prioritised by risk. Penetration tests or third-party assessments may be conducted according to risk and customer requirements.
8. Incident response
Security incidents are triaged, contained, eradicated, and recovered under documented procedures. Where personal data is affected, we follow breach-notification obligations and inform partners as contractually required. Post-incident reviews drive preventive improvements.
9. Business continuity & backups
Critical systems are backed up and can be restored within targets defined in our Business Continuity Management Policy.
10. Vendor & supply chain
Material subprocessors (cloud, payments, messaging) undergo due diligence, contractual security clauses, and subprocessor transparency where required for merchants and regulators.
11. Physical & environmental security
Production workloads run on reputable cloud and hosting providers whose data centres implement industry-standard physical controls. PayBitt’s formal offices follow sensible access practices for employees.
12. Human resources security
Background checks may be applied where permitted by law. Staff participate in security awareness training covering phishing, data handling, and acceptable use.