Data Protection and Encryption Policy

Home

Last Updated: 22 Oct 2025

Effective Date: 18 september 2023

Issued by: Neobank Capital

Approved by: Chief Information Security Officer (CISO) & Data Protection Officer (DPO)

1. Purpose

This Data Protection and Encryption Policy establishes the security standards and technical controls used by Neobank Capital to protect all personal, financial, and confidential information handled across our platforms, infrastructure, and partner networks.

The goal is to ensure that data is collected, stored, transmitted, and processed securely, in accordance with:

  1. GDPR Articles 5, 25, 32, and 34
  2. UK GDPR and the Data Protection Act 2018
  3. ISO/IEC 27001 & 27018 (Cloud Security & Privacy)
  4. NIST SP 800-53 and 800-171
  5. Relevant U.S. and international data protection laws

2. Scope

This policy applies to:

  1. All Neobank Capital systems, cloud environments, databases, and applications.
  2. All employees, contractors, vendors, and partners with access to company data.
  3. All categories of data processed by the company, including:
  4. Customer personal data
  5. Financial transaction records
  6. Authentication credentials
  7. API keys, cryptographic material, and internal business information

3. Policy Objectives

Neobank Capital commits to the following data protection principles:

  1. Confidentiality – Information is accessible only to authorized persons.
  2. Integrity – Information is accurate, complete, and protected from unauthorized modification.
  3. Availability – Information and systems are available when needed.
  4. Accountability – All data handling actions are logged, traceable, and auditable.
  5. Privacy by Design – Every new system or process integrates security and data minimization principles from inception.

4. Data Classification

Neobank Capital classifies all information into four sensitivity levels to determine the required protection measures:

Classification

Description

Examples

Public

Information approved for public release.

Marketing materials, website content

Internal

Limited to internal business use.

Internal memos, process docs

Confidential

Restricted data that could impact business or clients if disclosed.

Customer records, contracts

Highly Confidential

Critical or regulated data requiring the highest protection.

Financial data, private keys, PII, authentication tokens

5. Encryption Standards

All personal, financial, and confidential data must be encrypted in transit and at rest using industry-approved algorithms and key management practices.

5.1 Encryption In Transit

  1. Protocol: TLS 1.3 (minimum) with strong cipher suites.
  2. Email: Encrypted via TLS/SSL or end-to-end (PGP/S/MIME) for sensitive correspondence.
  3. API Communications: All REST or GraphQL APIs must use HTTPS only; unencrypted endpoints are strictly prohibited.
  4. VPN / Remote Access: Secure via AES-256 or equivalent encryption; MFA is mandatory.

5.2 Encryption At Rest

  1. Databases: AES-256 or stronger full-disk encryption.
  2. Cloud Storage: Encrypted at the storage layer using provider-native encryption (AWS KMS, Azure Key Vault, GCP KMS).
  3. Backups: All backups are encrypted prior to transfer or storage; stored in geo-redundant secure regions.
  4. Mobile Devices: Company-issued devices must use full-disk encryption and remote wipe capability.

5.3 Key Management

  1. All cryptographic keys must be managed using Hardware Security Modules (HSMs) or cloud-native key management systems.
  2. Keys are rotated periodically and immediately revoked if compromised.
  3. Private keys are never stored in plaintext or shared over unencrypted channels.
  4. Access to cryptographic material is limited to authorized security personnel under strict access control policies.

6. Data Protection Controls

6.1 Access Control

  1. Multi-Factor Authentication (MFA) is mandatory for all systems handling confidential data.
  2. Role-Based Access Control (RBAC) is enforced; least privilege principle applies.
  3. Access logs are monitored and retained for a minimum of 12 months.

6.2 Data Minimization

  1. Only the minimum personal data necessary for operational purposes is collected.
  2. Sensitive identifiers (e.g., SSN, passport number) are masked or hashed where possible.
  3. Temporary or test data sets must be pseudonymized or anonymized.

6.3 Data Retention

  1. Data is retained only for as long as necessary to fulfill contractual, operational, or legal obligations.
  2. Once no longer required, data is securely deleted using NIST SP 800-88 compliant methods.

6.4 Logging and Monitoring

  1. Security logs are centralized, time-synchronized, and monitored 24/7.
  2. Automated alerts trigger when suspicious access, data exfiltration, or failed login patterns are detected.

6.5 Vendor & Third-Party Data Protection

  1. All third-party service providers must comply with Neobank Capital’s Data Protection Addendum (DPA).
  2. Vendors must demonstrate encryption compliance equivalent to this policy before data exchange begins.
  3. Periodic security assessments and audits are mandatory for high-risk vendors.

7. Special Protections for Decentralized Systems

As Neobank Capital operates decentralized financial technology, specific controls apply:

  1. Private Keys & Wallet Data: Encrypted using HSM-backed key vaults with quorum-based access policies.
  2. Blockchain Nodes: Operate within secure cloud environments with network isolation and strict identity validation.
  3. Transaction Metadata: Pseudonymized before storage in analytics or monitoring systems.
  4. Smart Contracts: Audited for data exposure and vulnerabilities prior to deployment.

8. Incident Management

In the event of a suspected or confirmed data breach:

  1. The incident must be reported immediately to the Information Security Team and DPO.
  2. The Incident Response Plan is activated within one hour of detection.
  3. For GDPR-covered data, the DPO ensures regulatory notification within 72 hours if required.
  4. All incidents are logged, investigated, and corrective measures are documented.

9. Employee Responsibilities

  1. Employees must safeguard all devices and accounts with strong, unique passwords and MFA.
  2. No personal or confidential data may be stored on unapproved devices or media.
  3. Data sharing must occur only through secure company channels (encrypted email, secure portal, etc.).
  4. Security awareness and data protection training are required annually.

10. Compliance and Auditing

  1. Regular penetration tests and vulnerability assessments are performed at least twice per year.
  2. Internal audits verify compliance with GDPR, PCI DSS, and this policy.
  3. The CISO and DPO jointly review encryption controls annually.
  4. Non-compliance may result in disciplinary action or contract termination.

11. Review and Maintenance

This policy is reviewed annually or whenever significant regulatory, operational, or technological changes occur.

All updates must be approved by the Chief Information Security Officer (CISO) and Data Protection Officer (DPO).

12. Contact Information

Data Protection Officer (DPO)

📧 privacy@neobank.capital

📍 Neobank Capital – Global Privacy Office

2355 116 74, Stockholm, Sweden

On this Page
Contents 1. Purpose 2. Scope 3. Policy Objectives 4. Data Classification 5. Encryption Standards 6. Data Protection Controls 7. Special Protections for Decentralized Systems 8. Incident Management 9. Employee Responsibilities 10. Compliance and Auditing 11. Review and Maintenance 12. Contact Information

© 2025 Neobank Capital Legal Center | Privacy & Compliance Hub

Support
Marketing
...