Effective Date: May 6, 2025

1. Introduction

At PAYINC GROUP LIMITED (trading as "PayAngel"), we take security seriously. We are committed to safeguarding the integrity, confidentiality, and availability of our systems, services, and data. This Security Policy outlines the principles, practices, and measures in place to protect our customers, employees, partners, and infrastructure.

2. Scope

This policy applies to all PayAngel systems, platforms (including web and mobile applications), data centres, cloud environments, and personnel involved in the processing, storage, transmission, or protection of information.

3. Security Governance

• We maintain an Information Security Management System (ISMS) aligned with industry best practices.
• Security responsibilities are clearly defined and overseen by our designated Security Officer.
• Policies and procedures are regularly reviewed and updated in accordance with regulatory and operational requirements.

4. Technical and Organizational Measures (TOMs)

A. Data Encryption

• Data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted using AES-256 encryption.

B. Access Controls

• Role-based access control (RBAC) is enforced.
• Multi-factor authentication (MFA) is required for administrative and sensitive user access.
• Access reviews are performed regularly.

C. Network Security

• Firewalls, intrusion detection and prevention systems (IDPS), and secure VPNs are used.
• Azure Front Door, Azure Firewall, and private IPs are employed to prevent external threats.

D. System Hardening

• Operating systems and software are regularly patched.
• Vulnerability scans and penetration tests are conducted routinely.

E. Logging and Monitoring

• Real-time logging and monitoring of system activity is implemented.
• Suspicious activities trigger automated alerts and response protocols.

F. Backup and Recovery

• Regular, encrypted backups are maintained.
• Disaster recovery plans are tested periodically.

G. PCI DSS Compliance

• We adhere to the Payment Card Industry Data Security Standard (PCI DSS) where applicable.
• Cardholder data is securely processed, stored, and transmitted using compliant infrastructure.

H. Customer Due Diligence (CDD) and Fraud Checks

• CDD processes are implemented in line with AML/CFT regulations.
• Automated and manual fraud detection checks are in place.
• Suspicious transactions are monitored, flagged, and escalated as appropriate.

5. Incident Response

We maintain a documented Incident Response Plan to address data breaches and cyber incidents. It includes:

• Immediate containment and impact assessment.
• Notification procedures for regulators and affected individuals, where applicable.
• Root cause analysis and remediation steps.

6. Physical and Environmental Security

• Data centres and offices employ physical security controls including CCTV, restricted access, and secure zones.
• Environmental controls protect against fire, flood, and power disruptions.

7. Employee Awareness and Training

• Employees undergo mandatory security and privacy training.
• Regular phishing simulations and role-specific training are conducted.

8. Vendor and Third-Party Security

• Vendors undergo security due diligence and contractual obligations.
• Data shared with third parties is protected using encryption and access controls.

9. Compliance and Certifications

• Our security practices align with global standards such as ISO/IEC 27001.
• We meet regulatory obligations in all jurisdictions we operate in, including the FCA (UK), GDPR (EU), FinCEN (US), FINTRAC (Canada), AUSTRAC (Australia), and relevant authorities in Ghana and Kenya.
• PCI DSS compliance is maintained for all relevant payment systems.

10. Review and Updates

This policy is reviewed at least annually or upon significant changes to our infrastructure or risk landscape.

11. Contact Us

If you have security concerns or wish to report a vulnerability, please contact us:

Email: security@payangel.com

Website: www.payangel.com