GDPR Information Security and Access Control Policy

Home

Last Updated: 23 Oct 2025

Effective Date: 18 september 2023

Issued by: Neobank Capital

Applies to: All employees, contractors, and authorized third parties of Neobank Capital and its affiliates.

1. Purpose

This policy establishes the technical and organizational measures that Neobank Capital implements to ensure the confidentiality, integrity, and availability of personal data in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Our goal is to safeguard all data processed through our decentralized fintech platforms, APIs, and online systems against unauthorized access, loss, misuse, or unlawful disclosure.

2. Scope

This policy applies to:

  1. All systems, applications, networks, and devices operated or managed by Neobank Capital;
  2. All employees, contractors, vendors, and partners who access Neobank Capital systems or handle customer or partner data;
  3. All personal data processed by Neobank Capital, regardless of format (digital or physical).

3. Guiding Principles

All data security activities within Neobank Capital are governed by the following GDPR principles:

  1. Lawfulness, Fairness, and Transparency
  2. Processing is conducted lawfully, transparently, and in ways that respect data subjects’ rights.
  3. Data Minimization
  4. Access is granted strictly on a “need-to-know” basis.
  5. Integrity and Confidentiality
  6. Personal data is protected by strong technical and organizational security measures.
  7. Accountability
  8. Neobank Capital maintains full documentation of access rights, controls, and incident logs.

4. Information Security Framework

Neobank Capital maintains an Information Security Management System (ISMS) consistent with ISO 27001 principles.

The ISMS ensures that:

  1. Risks are continuously identified, assessed, and mitigated.
  2. Security controls are proportionate to the level of risk.
  3. Policies and controls are reviewed at least annually.

5. Access Control Policy

5.1 Access Authorization

  1. Access to personal data is granted only to individuals with a legitimate business need.
  2. All access requests require documented approval by management.
  3. Access rights are regularly reviewed and revoked upon role changes or termination.

5.2 Authentication

  1. All user accounts must use strong authentication mechanisms (e.g., unique credentials, MFA).
  2. Shared or generic accounts are prohibited.
  3. Password policies meet or exceed NIST standards.

5.3 Role-Based Access Control (RBAC)

  1. Users are assigned roles based on job function.
  2. Administrative privileges are limited to authorized personnel only.
  3. Logs of administrative activity are retained for audit purposes.

5.4 Third-Party Access

  1. Third-party vendors are granted access only under written agreements that define data protection and confidentiality obligations.
  2. All third-party access is monitored and logged.

6. Data Encryption and Transmission

  1. Personal data at rest is encrypted using AES-256 or equivalent.
  2. Data in transit is protected via TLS 1.2+ or equivalent secure protocols.
  3. Encryption keys are stored securely and rotated periodically.

7. Network and Infrastructure Security

  1. Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) are deployed and monitored.
  2. Systems are patched regularly to mitigate known vulnerabilities.
  3. Network segmentation is enforced between production and non-production environments.

8. Data Retention and Disposal

  1. Data retention aligns with our Global Privacy Policy and applicable legal requirements.
  2. When no longer needed, data is securely deleted or anonymized using certified destruction methods.
  3. Backup data is encrypted and subject to the same access controls.

9. Logging and Monitoring

  1. System access, changes, and security events are logged and reviewed regularly.
  2. Logs are retained for a minimum of 12 months unless legal obligations require longer retention.
  3. Anomalies are escalated to the Security and Compliance Team.

10. Incident Response and Breach Notification

  1. Any suspected or confirmed data breach must be reported immediately to the Data Protection Officer (DPO).
  2. Incidents are investigated, documented, and remediated according to the Incident Response Procedure.
  3. In the event of a personal data breach, Neobank Capital will notify the relevant Data Protection Authority (DPA) and affected individuals within 72 hours, as required by GDPR Article 33.

11. Physical Security

  1. Access to physical facilities and servers is restricted to authorized personnel.
  2. Visitors must sign in, wear identification badges, and be escorted.
  3. Devices containing personal data must be securely locked or stored when unattended.

12. Employee Responsibilities

  1. Employees must complete annual GDPR and information security training.
  2. Employees must immediately report any suspicious activity or policy violations.
  3. Unauthorized access, use, or disclosure of data may result in disciplinary action.

13. Data Protection Officer (DPO)

The DPO oversees GDPR compliance and information security governance.

Contact:

Global Data Protection Officer

📧 privacy@neobank.capital

14. Policy Review

This policy will be reviewed annually or upon significant changes to Neobank Capital’s technology, operations, or regulatory environment.

All changes will be documented and communicated to relevant stakeholders.

On this Page
Contents 1. Purpose 2. Scope 3. Guiding Principles 4. Information Security Framework 5. Access Control Policy 6. Data Encryption and Transmission 7. Network and Infrastructure Security 8. Data Retention and Disposal 9. Logging and Monitoring 10. Incident Response and Breach Notification 11. Physical Security 12. Employee Responsibilities 13. Data Protection Officer (DPO) 14. Policy Review

© 2025 Neobank Capital Legal Center | Privacy & Compliance Hub

Support
Marketing
...