Security
At Nunify, we are dedicated to maintaining the confidentiality, integrity, and availability of our information systems and our customers’ data. We are constantly enhancing our security controls and evaluating their effectiveness to provide confidence in our solution.
Below, we provide an overview of the security controls implemented to safeguard your data.
You can contact our security team at [email protected] for any inquiries or concerns.
Cloud Security
Nunify uses infrastructure from Digital Ocean and Amazon AWS for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.
Our providers employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others.
AWS datacentre controls can be found here - https://aws.amazon.com/compliance/data-center/controls/
AWS physical security is documented here - https://aws.amazon.com/compliance/data-center/perimeter-layer/
Security controls of Digital Ocean can be found here - https://www.digitalocean.com/security
Network Security
To ensure that our systems are as secure as possible, we have a dedicated and passionate in-house security team that is available around the clock to respond to any security alerts or events that may arise.
To identify and address potential vulnerabilities, we conduct regular third-party penetration tests against our application and supporting infrastructure. These tests help us to identify any potential weaknesses in our systems, and we track and remediate any findings in a timely manner.
In addition to penetration testing, we use a range of threat detection services and perform regular vulnerability scanning to continuously monitor for any malicious or unauthorized activity. This helps us to stay one step ahead of potential attackers and keep our systems secure.
To protect against DDoS attacks, we have multiple layers of protection in place. This includes the use of Cloudflare’s sophisticated CDN with built-in DDoS protection, as well as application-specific mitigation techniques. This layered approach helps us to effectively mitigate against DDoS threats and keep our platform available and accessible to our users.
Access to our systems is strictly controlled and limited to the least privilege model required for our staff to carry out their job duties. This access is subject to frequent internal audit and technical enforcement to ensure compliance with our security policies. Furthermore, we require all of our production systems to use two-factor authentication to add an additional layer of security and protect against unauthorized access.
In conclusion, our security measures are designed to protect against a range of potential threats and ensure the confidentiality, integrity, and availability of our platform and its users. We are committed to providing a secure and reliable platform for our users, and will continue to invest in our security measures to ensure that they remain effective.
Encryption
In Transit
Communication with Nunify is encrypted with TLS 1.2 or higher over public networks.
At Rest
Nunify data is encrypted at rest with industry standard AES-256 encryption.
Continuity & Availability
Disaster Recovery
In the event of a major regional outage, Nunify has the capacity to deploy our application to an alternative hosting region. Our Disaster Recovery plan guarantees the continued availability of services and facilitates a swift recovery in the event of a disaster. This plan undergoes regular testing and review to identify opportunities for improvement or automation. DR deployment is managed using the same configuration management and release processes as our production environment, ensuring the proper application of all security configurations and controls.
Uptime
Nunify is hosted on a public cloud platform and employs multiple availability zones to ensure availability. The system is designed to scale dynamically based on measured and anticipated load. We regularly perform simulated load tests and API response time tests as part of our release and testing cycle.
Application Security
The Quality Assurance team at Nunify conducts regular reviews and tests of the codebase. The security team is equipped to investigate and recommend solutions for any identified vulnerabilities in the code. The QA team is provided with regular training and security resources to ensure the integrity of the codebase. Testing, staging and production environments are logically separated from one another. No customer data is used in any development or test environment.
Personal Security
Nunify offers a thorough Security Awareness Training program that is provided to all new hires within 30 days of their start date and annually to all employees. We also provide quarterly focused training to key departments on topics such as Secure Coding, Data Legislation, and Compliance obligations.
Our company has a comprehensive set of information security policies that cover a wide range of topics. These policies are distributed to all employees and contractors, and we track acknowledgement of key policies such as Acceptable Use, Information Security Policy, and our Employee Handbook.
All Nunify employees undergo a thorough background check prior to being hired, which includes a review of criminal history for the past 5 years where permitted by law and verification of employment for the past 5 years.
All employees are required to sign Non-Disclosure and Confidentiality agreements as a condition of their employment.
Access to our systems and network devices is granted based on a documented and approved request process. Logical access to our platform servers and management systems requires the use of two-factor authentication. We regularly verify that the owner of a user ID is still employed by our company and holds the appropriate role. Access is further restricted by system permissions that follow the principle of least privilege, and all permissions require documented business justification. Any exceptions identified during the verification process are promptly addressed. We also reevaluate the business need for access on a quarterly basis to ensure that access is consistent with the user’s job function. Any exceptions identified during this process are also addressed. User access is automatically revoked upon termination of employment or change of job role.
Data Privacy
Nunify is compliant with the European Union's General Data Protection Regulation (GDPR). As a card not present merchant, we outsource our cardholder functions to a PCI-DSS Level 1 service provider. A copy of our SAQ-A can be provided upon request. Our privacy policy, which outlines how we handle data input into Nunify, can be found at /privacy. Should you have any privacy-related questions or concerns, please contact us at [email protected].