SECURITY POLICY

Last revised on 21/09/2017

Introduction

APEXX Fintech Limited (“APEXX”, “We”) is the producer and owner of APEXX Services (“Services”) and owner of the APEXX website (“Website”).

“You” in this policy means an individual who is accessing or applying to use the Services either on his or her own account or on behalf of a business.  This includes in relation to

a) a Merchant or prospective Merchant of APEXX

b) a Technical Partner or Introducer (both referred to as “Partner”) or a prospective Partner

c) any sole trader and any principals, including the managing and financial directors, any other directors and officers, shareholders, company partners and beneficial owners of a Merchant or Partner

d) any member of staff accessing or using the Services on behalf of a Merchant or Partner

DATA PROTECTION

a) Security measures for APEXX are designed to protect confidential content input into the APEXX platform, and to maintain the availability of such content pursuant to the Agreement. Merchant is the sole controller for any personal data included in the content, and appoint APEXX as a processor to process such personal data (as those terms are defined in the General Data Protection Regulation). APEXX will treat all content that is personally identifiable as confidential and will only disclose content to employees, contractors, and sub processors to the extent necessary to deliver the Service and support of the Service.

b) Upon request, APEXX will provide evidence of stated compliance and accreditation, such as certificates, attestations, or reports resulting from accredited independent third-party audits. Where applicable, the accredited independent third-party audits will occur at the frequency required by the relevant standard to maintain the APEXX Service’s stated compliance and accreditation.

c) IBM Cloud is the data centre used for any APEXX Service. IBM will not access any content except and only to the extent necessary: i) when APEXX expressly authorizes it, having gained prior permission from you if related to personally identifiable information; ii) as required by law. Read their Data Security and Privacy Principles for IBM Cloud Services.

SECURITY POLICIES

a) APEXX will maintain and follow IT security policies and practices that are integral to APEXX’s business and mandatory for all APEXX employees, including supplemental personnel.

b) APEXX will review its IT security policies at least annually and amend such policies as APEXX deems reasonable to maintain protection of our Services and content processed therein.

c) APEXX will maintain and follow its standard mandatory employment verification requirements for all new hires, including supplemental employees. In accordance with APEXX internal process and procedures, the requirements will be periodically reviewed and include, but may not be limited to criminal background checks, proof of identity validation, and additional checks as deemed necessary by APEXX.

d) APEXX employees will complete security and privacy education and certify that they will comply with APEXX’s policies, as set out in APEXX’s Employee Handbook. Additional policy and process training will be provided to persons granted administrative access to APEXX Platform that is specific to their roles within the APEXX operation and support of the APEXX Platform, and as required to maintain compliance and certifications.

SECURITY INCIDENTS

a) APEXX will maintain and follow documented incident response policies and will comply with data breach notification requirements of the General Data Protection Regulation.

b) APEXX will investigate unauthorised access and unauthorised use of confidential content of which APEXX becomes aware (security incident), and, APEXX will define and execute an appropriate response plan. Merchant may notify APEXX of a suspected vulnerability of incident by submitting a technical support request to support@apexxfintech.com.

c) APEXX will promptly notify Merchant of a security incident that is known or reasonably suspected by APEXX to affect Merchant. APEXX will provide Merchant with reasonably requested information about such security incident and status of any APEXX remediation and restoration activities.

PHYSICAL SECURITY AND ENTRY CONTROL

a) APEXX will maintain appropriate physical entry controls, such as card controlled entry points, surveillance cameras, and manned receptions desk, to protect against unauthorised entry into APEXX offices.

b) Any person duly granted temporary permission to enter the APEXX office will be registered upon entering the premises and will be escorted by authorised personnel.

ACCESS, INTERVENTION, TRANSFER AND SEPARATION CONTROL

a) APEXX will maintain documented security architecture of networks managed by APEXX in its operation of the APEXX Service. APEXX will separately review such network architecture, including measures designed to prevent unauthorised network connections to systems, applications and network devices, for compliance with its secure segmentation, isolation, and defence in depth standards prior to implementation.

b) APEXX will maintain measures for APEXX Service that are designed to logically separate and prevent confidential content from being exposed to or accessed by unauthorised persons.

c) APEXX will encrypt confidential content not intended for public or unauthenticated viewing when transferring content over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, and FTPS, for Merchant’s secure transfer of confidential content to and from the APEXX Service over public networks.

d) If APEXX requires access to confidential content, APEXX will restrict and limit such access to least level required to provide and support the APEXX Service. Such access, including administrative access to any underlying components (privileged access), will be individual, roles based, and subject to approval and regular validation by authorised APEXX personnel following principles of segregation of duties. APEXX will maintain measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner’s separation or request of authorised PEXX personnel, such as account owner’s manager.

e) APEXX will maintain technical measures enforcing timeout of inactive sessions, lockout of accounts ater multiple sequential failed login attempts, strong password or passphrase authentication, and measures requiring secure transfer and storage of such passwords and passphrases.

f) APEXX will monitor use of privileged access and maintain security information and event management measures designed to a) identify authorised access and activity, b) facilitate a timely and appropriate response, and c) to enable internal and independent third party audits for compliance with documented APEXX policy.

SERVICE INTEGRITY AND AVAILABILITY CONTRol

a) APEXX

  1. performs internal penetration testing and vulnerability assessments, including automated system and application security scanning and manual ethical hacking, before production release and annually thereafter

  2. enlists a qualified independent third-party to perform penetration testing at least annually

  3. performs automated management and routine verification of underlying components’ compliance with security configuration requirements, and

  4. remediates identified vulnerabilities or noncompliance with its security configuration requirements based on associated risk, exploitability, and impact. APEXX will take reasonable steps to avoid disruption to the APEXX Service when performing its tests, assessments, scans, and execution of remediation activities.

b) APEXX will maintain policies and procedures designed to manage risks associated with the application of changes to its Services. Prior to implementation, changes to the Service, including its systems, networks and underlying components, will be documented in a registered change request that includes a description and reason for the change, implementation details and schedule, a risk statement addressing impact to the APEXX Service and its Merchants, expected outcome, rollback plan, and documents approval by authorised personnel

c) APEXX will maintain an inventory of all information technology assets used its operation of the APEXX Service. APEXX will continuously monitor the health and availability of the APEXX Service and underlying components.

d) Each APEXX Service will be separately assessed for business continuity and disaster recovery requirements pursuant to documented risk management guidelines. Each APEXX Service will have, to the extent warranted by such risk assessment, separately defined, documented, maintained and annually validated business continuity and disaster recovery plans consistent with industry standard practices. Recovery point and time objects for the APEXX Service, if provided, will be established with consideration given to the APEXX Service’s architecture and intended use.

DEFINITIONS AND INTERPRETATION

All defined terms in this Policy shall have the meaning assigned to them as defined here or elsewhere in this Policy and shall apply both to the plural and singular forms of each term, as the context may require.