Briqpay Security Policy

Briqpay delivers smart solutions for businesses to register new customers, checkout solutions for payments, and data analysis. Transparency to our customers is part of the core value of Briqpay, where our customer is always in full control of the services and data offered by Briqpay. Keeping your data secure is of high importance to us and we have implemented appropriate technical measures to ensure that all data sent to Briqpay is handled in a secure manner. You can still share URLs, ID, or other information to make the Briqpay services less private and we cannot take responsibility for privacy that is breached by sharing information you should not have. Briqpay AB (publ), Reg. No. 559249-5336, is hereinafter referred to as “we”, “us”, “our” or “Briqpay” and ”you” shall be interpreted as the person or entity who has entered into an agreement with Briqpay to use our services.

1. Human Resource Security

We have processes in place to ensure that all personnel with access to systems or information about our Users as well as User Data have agreed to a non-disclosure undertaking as part of their employment contract with Briqpay. Our staff onboarding process includes verifying the identity of staff and the background and skill they state. Our rigorous staff termination process includes revoking access rights, seizing IT equipment, invalidating all access as well as notification of continuous confidentiality obligations. Any staff with access to information about users shall be required to take appropriate security training on a regular basis as set out in the Security Revision Schedule below. When employment has ended, we revoke all access that the concerned employee had. Roles, accountabilities, and responsibilities

CHIEF EXECUTIVE OFFICER

• Accountable for all aspects of Briqpay’s information security and data processing.

• Determines the privileges and access rights to the resources within their areas.

SECURITY OFFICER

• Responsible for the security of the IT infrastructure.

• Plans against security threats, vulnerabilities, and risks.

• Implements and maintains Security Policy documents.

• Ensures security training programs.

• Ensures IT infrastructure supports Security Policies.

• Responds to information security incidents.

• Helps in disaster recovery plans.

ALL EMPLOYEES

• That all confidential information must be kept confidential and that any disclosure of confidential information would cause harm to Briqpay.

• That employee must only handle confidential information on devices issued by Briqpay

In consideration of being entrusted rights to use Briqpay’s systems, repositories, and information all employees must acknowledge the following:

• That all confidential information must be kept confidential and that any disclosure of confidential information would cause harm to Briqpay.

• That employee must only handle confidential information on devices issued by Briqpay

• That employee will not, directly or indirectly, make use of information other than in the course of work duties;

• That employee will keep passwords, PIN codes, etc. entrusted to the employee, strictly confidential;

• That employee uses at least 2-factor authentication for systems with user data. We also require password-protected SSH keys.

• Briqpay implements host-based (i.e. per workstation) security by contractually requiring strong (at least AES128) encryption on all workstations. This is verified at the start of employment and at least twice a year.

• Firewall enabled on all workstations

• That employee will log off the computer or activate the screensaver configured with a password immediately upon completion of each work session;

• That the employee understands that his/her rights to use Briqpay systems, repositories and information expire upon the termination of their work duty, or at any time upon the request by Briqpay. If the employee is not otherwise instructed, Briqpay requests that the employee shall immediately return all intellectual properties that the employee holds when his/her rights have expired.

• A clear desk policy to protect customer information.

• Briqpay Password Control Policy defines the requirements for proper and secure handling of passwords within the organization. All employees who handle assets and services related to Briqpay use password management via a certified password management system and strong passwords are required.

2. Operations security

Physical access to Briqpay’s office premises is restricted to staff individually and on a need to have basis. Physical access to where the Services are performed shall log physical access related events such as date, time, door-id, access denied, or access granted. Briqpay maintains separation/segregation of duties to prevent error and fraud by ensuring that at least two individuals are responsible for separate parts of any task so that no single role or account can access, modify or use data without authorization or detection. We log important events, which enable us to monitor and follow up on suspicious or malicious activity. Losses, theft, damages, tampering, or other incidents related to IT-assets that compromise security must be reported as soon as possible to the CTO.

3. Business continuity

Our intention is to only perform planned maintenance on low traffic hours/weekends. We reserve the right to implement new updates and versions of the Application, to the extent deemed suitable by us. We take help from Snyk who performs vulnerability scans on a regular basis and reports threats in accordance with CVSS. High vulnerabilities are fixed within two weeks, medium within six weeks, and low within eight weeks.

4. Continuous improvements

Our engineering practices ensure that we have security in mind in all stages of a development lifecycle. While no system is completely secure, we will do our utmost to minimize any type of risk. Examples of Engineering practices:

• Clear code conventions enforced by static code analysis;

• Use of well-known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection);

• Incident response plans are maintained and followed to quickly act on incidents;

• Continuous check-up to keep libraries up-to-date;

• Continuous integration builds and testing;

• Penetration tests are done by GCP on their infrastructure

• All code is peer-reviewed to find bugs and security holes early.

• All releases are tested before merging to production.

• Passwords are always kept in password safes or as configuration.

5. Data Security

Processing

We are working with the best-in-class service providers for data storage. The service provider’s physical infrastructure is hosted and managed within Google’s secure data centers and utilizes the Google Cloud Platform (GCP) technology. Google continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Google’s data center operations have been accredited under:

• Clear code conventions enforced by static code analysis;

• Use of well-known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection);

• Incident response plans are maintained and followed to quickly act on incidents;

We have configured our data to be stored in the region EU-West3 Google’s security is covered here (https://cloud.google.com/security/) Security measures are taken to protect you and your data both for “Data at rest” and “Data in transit”.

Data at rest

We use encryption of all Data ”at-rest” and get powerful and automatic protection through our database provider. Read more here: https://cloud.google.com/docs/security/encryption/default-encryption As described above, Briqpay stores Data on Google Cloud Platform servers. We logically separate customer data in order to ensure integrity and confidentiality. Briqpay utilizes ISO 27001 and SOC2 certified data centers managed by Google.

Data in transit

We use standard TLS >=1.2, ie. Encryption of data “in-transit”, and are rated A by 3rd party vendor, SSL Labs. Privacy and protection of user data are of the highest importance to us and we both have technical and operational support in place to ensure this.

Security Incidents

We have in place and will maintain appropriate technical and organizational measures to protect personal data as well as other data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing (a ”Security Incident”). We have an incident management process to detect and handle Security Incidents which shall be reported to the Security Officer (security@briqpay.com) as soon as they are detected. This applies to Briqpay employees and all processors that handle personal data. All Security Incidents are documented and evaluated internally and an action plan for each individual incident is made, including mitigatory actions. If you are affected by the Security incident, we will contact you as soon as possible through relevant channels.

6. Security Revision Schedule

This section shows how often Briqpay conducts security revisions and conducts different types of tests. If significant changes occur Briqpay will initiate an otherwise planned activity to ensure continuing security.

7. Contact

Briqpay AB is a Swedish limited liability company with registration number 559249-5336 and registered in Sweden. You can always reach us at hello@briqpay.com.