Security and Privacy at NadaPay

Security is at the heart of what we do—helping our customers improve their security and compliance posture starts with our own.

Governance

NadaPay’s Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

Our policies are based on the following foundational principles:

01. Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege. 02. Security controls should be implemented and layered according to the principle of defense in-depth.

03. Security controls should be applied consistently across all areas of the enterprise.

04. The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.

Security and Compliance at NadaPay

NadaPay maintains compliance with (insert icons certificate icons)

  • CCPA
  • PCI DSS

Data protection

Data at rest

All data stores with customer data, including S3 buckets and other storage services, are encrypted at rest. This includes:

  • Amazon S3: Data stored in S3 buckets is protected with server-side encryption options such as SSE-S3, SSE-KMS, and SSE-C.
  • Amazon DocumentDB (with MongoDB compatibility): Data is encrypted at rest using AWS KMS.
  • Amazon ElastiCache: Data is encrypted at rest for Redis and Memcached.
  • Amazon EC2 Instances: Data on EBS volumes attached to EC2 instances is encrypted using AWS KMS. Data at the file system level can also be encrypted.
  • Amazon EC2 Container Registry (ECR): Container images are encrypted at rest.
  • AWS Key Management Service (KMS): Manages encryption keys stored in Hardware Security Modules (HSMs) for various services.
  • AWS Secrets Manager: Application secrets are encrypted and stored securely, with strict access controls.

Sensitive collections and tables also use row-level encryption, ensuring that data is encrypted before it is stored in the database. This ensures that neither physical access nor logical access to the database is sufficient to read the most sensitive information.  

Data in transit

NadaPay employs TLS 1.2 or higher for all data transmitted over potentially insecure networks. We use additional security features such as:

  • HSTS (HTTP Strict Transport Security): To enhance the security of data in transit.
  • Elastic Load Balancing: Manages server TLS keys and certificates for secure data transmission.

Secret management

Encryption keys are managed via AWS Key Management Service (KMS). KMS stores key material in Hardware Security Modules (HSMs), preventing direct access by any individuals, including employees of Amazon and NadaPay. The keys stored in HSMs are used for encryption and decryption via Amazon’s KMS APIs.

Application secrets are securely encrypted and stored via AWS Secrets Manager and AWS Systems Manager Parameter Store, with access to these values being strictly controlled.

Product security

Penetration testing

NadaPay engages with one of the best penetration testing consulting firms in the industry at least annually. Our current preferred penetration testing partner is Kobalt.io, one of the leading experts in cybersecurity.  

All areas of the NadaPay product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.

We make summary penetration test reports available via our Trust Center.

Vulnerability scanning

NadaPay requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):

  • Static analysis (SAST) testing of code during pull requests and on an ongoing basis
  • Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain • Malicious dependency scanning to prevent the introduction of malware into our software supply chain
  • Dynamic analysis (DAST) of running applications
  • Network vulnerability scanning on a period basis • External attack surface management (EASM) continuously running to discover new external-facing assets

Enterprise security

Endpoint protection

All corporate devices are centrally managed and are equipped with mobile device management software and anti-malware protection. Endpoint security alerts are monitored with 24/7/365 coverage.

Vendor security

NadaPay uses a risk-based approach to vendor security. Factors which influence the inherent risk rating of a vendor include:

  • Access to customer and corporate data
  • Integration with production environments
  • Potential damage to the NadaPay brand

Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.

Secure remote access

NadaPay secures remote access to internal resources using a modern VPN platform built on WireGuard. We also use malware-blocking DNS servers to protect employees and their endpoints while browsing the internet.

Security education

NadaPay provides comprehensive security training for all employees upon onboarding and annually through educational modules on Kobalt.io’s platform. Additionally, all new hires participate in a mandatory live onboarding session focused on key security principles. New engineers also attend a mandatory live session centered around secure coding principles and practices.

These sessions include practical examples and scenarios designed to reinforce understanding and application of best practices in real-world projects. NadaPay regularly updates and refines its educational materials to reflect current threats and the latest trends in cybersecurity.

We actively encourage employees to pursue ongoing education and certification in security, and we conduct regular assessments of knowledge and practical skills to ensure high levels of data and system protection.

Employees also have access to supplementary resources and training through internal platiorms and external partner programs, enabling them to stay at the forefront of security and information protection.

NadaPay’s security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.

Identity and access management

NadaPay uses AWS IAM (Identity and Access Management) to secure our identity and access management. We enforce the use of phishing-resistant authentication factors, using MFA (Multi-Factor Authentication) and secure methods such as WebAuthn or hardware tokens wherever possible.

NadaPay employees are granted access to applications based on their role and are automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.

Data privacy

At NadaPay, data privacy is a first-class priority—we strive to be trustworthy stewards of all sensitive data.

Regulatory Compliance

NadaPay evaluates updates to regulatory and emerging frameworks continuously to evolve our program.  

Privacy Policy

View Nada Pay’s Privacy Policy

NadaPay is a financial technology company and not a bank. Our mission is to simplify payments, enhance financial experiences, and empower businesses and individuals. By using NadaPay's services, you acknowledge and accept the terms outlined in this disclosure. If you have any questions, feel free to reach out to our customer support team.

The NadaPay card is issued by Sunrise Banks N.A., Member FDIC, pursuant to the license from Mastercard International Incorporated. This card may be used everywhere Debit Mastercard is accepted. Mastercard and the circles design are registered trademarks of Mastercard International Incorporated. Use of this card constitutes acceptance of the terms and conditions stated in the Cardholder agreement.

Important information for opening your card account: To help the federal government fight the funding of terrorism and money laundering activities, the USA PATRIOT Act requires all financial institutions and their third parties to obtain, verify and record information that identifies each person who opens a card account.

What this means to you: When you open a card account, we will ask you for your full name, address, date of birth, and other information that will allow us to identify you. We may also ask to see a copy of your driver’s license or other identifying documents.

*KYC typically involves the collection of certain information, such as the legal name, address, date of birth, and Social Security number. Our simple process utilizes the AiPrise network.

Privacy PolicyEULASecurityTrust CentreSupport

Mailing Address

9225 Bay Plaza Blvd
Suite # 417
Tampa, FL 33619