Information Security

1. Commitment to Security

RICARDO ***** - ME, operator of the NUDINN platform, recognizes that the security of users' financial information and personal data is of critical importance.

This document describes the technical, organizational, and procedural measures we implement to protect your data against unauthorized access, loss, alteration, improper disclosure, or accidental destruction.

Our security approach is based on the principles of Confidentiality, Integrity, and Availability (CIA Triad), in compliance with international best practices and requirements of the General Data Protection Law (LGPD).

2. Encryption and Data Protection

2.1. Encryption in Transit

All data transmitted between your device and our servers is protected by SSL/TLS (Transport Layer Security) encryption of at least 256 bits:

• HTTPS Protocol: All web platform access uses HTTPS exclusively
• SSL Certificates: Digital certificates regularly renewed and issued by recognized Certificate Authorities
• TLS 1.3: We use the latest version of TLS protocol for maximum security
• Perfect Forward Secrecy (PFS): Ensures compromised session keys do not affect previous or future sessions
• HTTP Strict Transport Security (HSTS): Forces HTTPS use preventing downgrade attacks

2.2. Encryption at Rest

Data stored in our databases and backup systems is protected by AES-256 (Advanced Encryption Standard) encryption:

• Sensitive Financial Data: Balances, transactions, and banking information encrypted with unique keys per user
• Passwords: Never stored in plain text, we use strong hashing (bcrypt) with individual salt and multiple iterations
• Tokens and Credentials: Encrypted with limited validity time
• Backups: All backups encrypted before storage

2.3. Cryptographic Key Management

• Encryption keys stored in HSM (Hardware Security Module) or key management services (KMS) from certified providers
• Periodic key rotation according to security policies
• Key access restricted through multi-layer controls
• Key segregation by environment (development, staging, production)

3. Access Control and Authentication

3.1. User Authentication

• Strong Passwords: Minimum complexity requirements (at least 8 characters, combination of letters, numbers, and symbols)
• Multi-Factor Authentication (MFA): Available and recommended for all users (codes via SMS, email, or authenticator apps)
• Session Tokens: JWT (JSON Web Tokens) with short expiration and secure automatic renewal
• Attempt Blocking: Temporary blocking after multiple failed login attempts (brute force protection)
• Automatic Logout: Sessions expire automatically after inactivity period

3.2. Internal Access Control

Robust systems limit data access by NUDINN employees:

• Principle of Least Privilege: Employees have access only to data strictly necessary for their roles
• Separation of Duties: Separation between development and production environments
• Mandatory Multi-Factor Authentication: For all administrative access
• Audit Logs: All access to sensitive data is recorded and monitored
• Periodic Review: Permissions reviewed quarterly and automatically revoked when no longer needed
• Non-Disclosure Agreement (NDA): All employees with data access sign confidentiality terms

4. Infrastructure and Network Security

4.1. Hosting and Data Centers

We use market-leading cloud computing providers with international security certifications:

• Providers: AWS (Amazon Web Services) and/or Google Cloud Platform
• Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, PCI DSS
• Data Centers: Located in Brazil and high-availability regions
• Redundancy: Infrastructure distributed across multiple availability zones
• Physical Security: Data centers with biometric control, 24/7 surveillance, fire protection, and natural disaster protection

4.2. Network Security

• Web Application Firewall (WAF): Cloudflare WAF protects against common attacks (SQL Injection, XSS, CSRF, DDoS)
• DDoS Protection: Automatic mitigation of denial-of-service attacks
• Network Segmentation: Isolation between application servers, database, and internal services
• VPN and Secure Connections: Administrative access exclusively via VPN
• Traffic Monitoring: Continuous analysis of abnormal traffic patterns

4.3. Application Security

• Code Review: Peer code review before deployment
• Security Testing: Automated (SAST - Static Application Security Testing) and manual tests
• OWASP Top 10 Protection: Mitigation of all critical vulnerabilities mapped by OWASP
• Rate Limiting: Request limits per IP to prevent abuse
• Input Validation: Rigorous sanitization of all user-entered data
• Content Security Policy (CSP): Security headers to prevent XSS and code injection

5. Backup and Disaster Recovery

5.1. Backup Policy

• Frequency: Automatic daily backups of complete database
• Incremental Backup: Incremental backups every 6 hours to minimize data loss
• Retention:
  • Daily backups: retained for 30 days
  • Weekly backups: retained for 3 months
  • Monthly backups: retained for 1 year
• Geographically Distributed Storage: Replicas in different regions for disaster protection
• Encryption: All backups encrypted with AES-256
• Restoration Tests: Monthly tests to validate backup integrity

5.2. Business Continuity Plan (BCP)

We maintain a documented and regularly tested Business Continuity and Disaster Recovery Plan (BCP/DR):

• RTO (Recovery Time Objective): Maximum 4 hours for complete restoration
• RPO (Recovery Point Objective): Maximum data loss of up to 1 hour
• Response Team: Dedicated team trained for emergency scenarios
• Simulations: Semi-annual disaster recovery exercises

6. Monitoring and Threat Detection

6.1. Continuous 24/7 Monitoring

• SIEM (Security Information and Event Management): Real-time security event correlation
• Centralized Logs: Records of all critical activities (access, authentication, changes, errors)
• Automatic Alerts: Immediate notifications about suspicious or abnormal activities
• Integrity Monitoring: Detection of unauthorized changes to system files
• Behavior Analysis: Machine Learning to identify anomalous patterns

6.2. Intrusion Detection and Prevention

• IDS/IPS (Intrusion Detection/Prevention System): Systems that detect and block intrusion attempts
• Honeypots: Decoy systems to attract and study attackers
• Threat Intelligence: Integration with global threat intelligence feeds
• Vulnerability Scanning: Weekly automated vulnerability scans

7. Security Testing and Audits

7.1. Penetration Testing (Pentests)

• Frequency: External pentests performed semi-annually by independent specialized companies
• Scope: Web applications, APIs, mobile apps, network infrastructure
• Remediation: Critical vulnerabilities fixed within 48 hours; high within 7 days

7.2. Security Audits

• Internal Audits: Quarterly review of security and compliance controls
• External Audits: Annual assessment by independent auditors
• Code Audits: Specialized review of critical source code

7.3. Bug Bounty Program

We are developing a vulnerability reward program (Bug Bounty) to encourage security researchers to report vulnerabilities responsibly.

8. Incident Response

8.1. Incident Response Plan (IRP)

We maintain a structured security incident response process:

1. Detection and Identification: Continuous monitoring identifies incidents in real time
2. Containment: Immediate isolation of affected systems to prevent spread
3. Eradication: Complete threat removal and vulnerability closure
4. Recovery: Secure service restoration and integrity validation
5. Post-Mortem Analysis: Detailed root cause investigation and lessons learned
6. Communication: Notification to affected users and authorities per LGPD

8.2. Incident Communication

In compliance with LGPD (Art. 48), in case of security incident that may pose relevant risk or harm to data subjects:

• Communication to ANPD: Within reasonable time (generally 72 hours)
• Notification to Affected Users: Clear information about incident nature, affected data, and measures taken
• Transparency: Public updates when appropriate

8.3. Reporting Channel

If you identify a security vulnerability or suspicious behavior:

We request responsible disclosure: please do not publicly disclose vulnerabilities before giving us opportunity to fix them.

9. Training and Awareness

9.1. Team Training

• Security Onboarding: All new employees receive mandatory training on security and privacy
• Periodic Training: Annual updates on best practices, new threats, and LGPD compliance
• Phishing Simulations: Periodic tests to assess and improve team awareness
• Security Culture: Encouragement to report incidents without fear of retaliation (blameless culture)

9.2. User Awareness

We produce educational content to help users protect their accounts:

• Guides on creating strong passwords
• How to identify phishing attempts
• Importance of multi-factor authentication
• Security best practices on mobile devices

10. Third-Party Security

10.1. Vendor Due Diligence

All service providers processing data on our behalf are rigorously assessed:

• Security Assessment: Detailed questionnaires before contracting
• Required Certifications: ISO 27001, SOC 2 Type II, or equivalents
• Contractual Clauses: Data Processing Agreements (DPA) with clear obligations
• Continuous Monitoring: Annual reassessment of critical vendors
• Audit Rights: We reserve right to audit vendor security practices

10.2. Integrations and APIs

• Secure APIs: OAuth 2.0 for integration authentication
• Rate Limiting: Request limits per API key
• API Logs: Recording of all API calls for audit
• Integration Review: Prior approval and security review for new integrations

11. Mobile Application Security

• Secure Local Storage: Use of Keychain (iOS) and Keystore (Android) for credentials
• Code Obfuscation: Protection against reverse engineering
• Certificate Pinning: SSL certificate validation to prevent man-in-the-middle
• Local Biometrics: Biometric authentication (fingerprint, Face ID) when available
• Jailbreak/Root Detection: Alerts about compromised devices
• Memory Cleanup: Sensitive data erased from memory after use

12. Compliance and Certifications

We are committed to best practices and regulatory compliance:

• LGPD (Law 13.709/2018): Full compliance with General Data Protection Law
• Marco Civil da Internet (Law 12.965/2014): Compliance with obligations regarding records and privacy
• ISO 27001 (in process): Implementation of ISMS (Information Security Management System)
• OWASP: Alignment with OWASP Top 10 and ASVS security standards
• PCI DSS Compliance: Compliance through certified payment gateway (Stripe)

13. Shared Responsibility

While we adopt robust measures, security is a shared responsibility. We recommend users:

• Use strong and unique passwords for accounts
• Enable multi-factor authentication (MFA)
• Keep operating systems and applications updated
• Do not share credentials with third parties
• Use secure Wi-Fi networks (avoid public networks for financial transactions)
• Be wary of suspicious emails or messages requesting personal data (phishing)
• Log out when using shared devices
• Immediately report suspicious activities

14. Continuous Improvement

Security is not a final state but a continuous process. We are committed to:

• Trend Monitoring: Constant tracking of new threats and vulnerabilities
• Regular Updates: Security patches applied proactively
• Control Evolution: Implementation of new controls as technology evolves
• User Feedback: Incorporation of community suggestions
• Benchmarking: Comparison with industry standards and best practices

15. Contact - Security Team

Our security team monitors these channels 24/7 and responds to critical incidents immediately.