Security Policy - Bittenpay

Last Updated: 15 September 2025

1. COMPANY INFORMATION

Company Name: DIGIFABRICA LTD
Company Number: 15390190
Registered Office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Email: info@bittenpay.com
Director: Ümit Sönmez

2. INTRODUCTION

This Security Policy establishes DIGIFABRICA’s comprehensive approach to information security, data protection, and cybersecurity for our digital marketplace platform. This policy ensures the confidentiality, integrity, and availability of our systems, data, and services while protecting users, vendors, affiliates, and business operations from security threats.

3. SECURITY GOVERNANCE AND FRAMEWORK

3.1 Security Governance Structure

Security Leadership:

Chief Information Security Officer (CISO) – Executive responsibility
Security Operations Team – Day-to-day security management
IT Infrastructure Team – Technical implementation and maintenance
Compliance Team – Regulatory and policy compliance oversight
External Security Advisors – Independent expertise and assessment

Security Committee:

Quarterly security review and strategy meetings
Risk assessment and mitigation planning
Security incident response and lessons learned
Budget allocation and resource planning
Policy review and update procedures

3.2 Security Framework Standards

International Standards Compliance:

ISO 27001 Information Security Management System
NIST Cybersecurity Framework implementation
OWASP Top 10 web application security guidelines
PCI DSS compliance for payment card data handling
SOC 2 Type II controls for service organizations

Regulatory Compliance:

UK GDPR and Data Protection Act 2018
Network and Information Systems (NIS) Regulations
Electronic Commerce Regulations compliance
Financial Services security requirements
Industry-specific security standards

4. INFORMATION CLASSIFICATION AND HANDLING

4.1 Data Classification Framework

Classification Levels:

Public Information:

Marketing materials and public documentation
Published policies and terms of service
Public pricing and product information
Press releases and public announcements

Internal Information:

Business processes and procedures
Internal communications and documentation
Non-sensitive operational data
General business intelligence

Confidential Information:

Customer personal and payment data
Vendor and affiliate financial information
Business strategies and plans
Technical system configurations
Third-party confidential information

Restricted Information:

Authentication credentials and security tokens
Encryption keys and security certificates
Legal and regulatory investigation data
High-value intellectual property
Executive and board communications

4.2 Data Handling Requirements

Access Controls:

Role-based access control (RBAC) implementation
Principle of least privilege enforcement
Regular access reviews and certifications
Segregation of duties for critical functions
Multi-factor authentication for privileged access

Data Protection Measures:

Encryption at rest for all sensitive data
Encryption in transit for all data communications
Secure data backup and recovery procedures
Data loss prevention (DLP) systems
Regular data integrity verification

5. TECHNICAL SECURITY CONTROLS

5.1 Network Security

Network Architecture:

Segmented network design with VLANs
Firewall protection with intrusion detection/prevention
DMZ (Demilitarized Zone) for public-facing services
VPN access for remote administration
Network access control (NAC) implementation

Security Monitoring:

24/7 network security monitoring
Real-time threat detection and alerting
Network traffic analysis and anomaly detection
Security information and event management (SIEM)
Regular vulnerability scanning and assessment

5.2 Application Security

Secure Development Lifecycle:

Security requirements integration in development
Secure coding standards and practices
Regular security code reviews and testing
Static and dynamic application security testing
Third-party security assessment and penetration testing

Application Protection:

Web application firewall (WAF) implementation
API security and rate limiting
Input validation and output encoding
SQL injection and XSS protection
Session management and authentication controls

5.3 Infrastructure Security

Server and System Security:

Hardened operating system configurations
Regular security patching and updates
Endpoint detection and response (EDR) systems
Antivirus and anti-malware protection
System configuration management and monitoring

Cloud Security:

Cloud service provider security assessment
Shared responsibility model implementation
Cloud access security broker (CASB) deployment
Identity and access management (IAM) controls
Cloud workload protection platforms

6. IDENTITY AND ACCESS MANAGEMENT

6.1 User Authentication

Authentication Requirements:

Strong password policies and complexity requirements
Multi-factor authentication (MFA) for all user accounts
Single sign-on (SSO) integration where appropriate
Regular password rotation and security assessments
Account lockout and intrusion detection mechanisms

Privileged Access Management:

Dedicated privileged access management (PAM) solution
Just-in-time access provisioning
Privileged session monitoring and recording
Regular privileged account reviews and certifications
Emergency access procedures and controls

6.2 Authorization and Access Control

Access Control Framework:

Role-based access control (RBAC) system
Attribute-based access control (ABAC) where appropriate
Regular access reviews and re-certifications
Automated provisioning and de-provisioning
Segregation of duties enforcement

Account Management:

Standardized account creation and termination procedures
Regular account activity monitoring and review
Dormant account identification and management
Guest and temporary account controls
Service account management and monitoring

7. DATA SECURITY AND PRIVACY

7.1 Data Encryption

Encryption Standards:

AES-256 encryption for data at rest
TLS 1.3 for data in transit
End-to-end encryption for sensitive communications
Hardware security modules (HSM) for key management
Regular encryption key rotation and management

Key Management:

Centralized key management system
Secure key generation and distribution
Key escrow and recovery procedures
Regular key rotation and lifecycle management
Hardware-based key storage and protection

7.2 Data Loss Prevention

DLP Implementation:

Content inspection and classification
Data movement monitoring and control
Endpoint DLP for user devices
Email and web traffic monitoring
Cloud application data protection

Data Backup and Recovery:

Regular automated backup procedures
Encrypted backup storage and transmission
Regular backup testing and verification
Disaster recovery and business continuity planning
Geographic backup distribution and redundancy

8. PAYMENT SECURITY

8.1 PCI DSS Compliance

Payment Card Industry Standards:

PCI DSS Level 1 compliance maintenance
Annual security assessments and certifications
Quarterly vulnerability scanning and remediation
Secure payment processing and tokenization
Regular compliance training and awareness

Payment Data Protection:

Tokenization of payment card data
Point-to-point encryption (P2PE) implementation
Secure payment processing environments
Regular payment system security testing
Third-party payment processor security validation

8.2 Financial Data Security

Financial Information Protection:

Segregated financial data processing systems
Enhanced access controls for financial data
Real-time fraud detection and prevention
Anti-money laundering (AML) system integration
Regular financial system security audits

9. SECURITY MONITORING AND INCIDENT RESPONSE

9.1 Security Operations Center (SOC)

24/7 Security Monitoring:

Continuous security event monitoring and analysis
Real-time threat detection and alerting
Security incident triage and escalation
Threat intelligence integration and analysis
Security metrics and dashboard reporting

Threat Detection Capabilities:

Signature-based detection systems
Behavioral analytics and anomaly detection
Machine learning-based threat detection
Threat hunting and proactive investigation
Integration with external threat intelligence feeds

9.2 Incident Response Program

Incident Response Team:

Dedicated incident response team with defined roles
24/7 incident response capability
Regular incident response training and exercises
External incident response partner relationships
Post-incident review and improvement processes

Incident Response Process:

Detection and Analysis: Identify and assess security incidents
Containment and Eradication: Isolate and eliminate threats
Recovery and Restoration: Restore normal operations safely
Communication: Notify stakeholders and authorities as required
Lessons Learned: Conduct post-incident analysis and improvement

9.3 Security Incident Classification

Incident Severity Levels:

Critical (P1):

Active data breach or unauthorized access
Payment system compromise or fraud
Complete system outage or unavailability
Malware infection or ransomware attack
Response time: Immediate (within 15 minutes)

High (P2):

Attempted unauthorized access or intrusion
Security control failure or bypass
Suspected data leakage or exposure
Denial of service attacks
Response time: Within 1 hour

Medium (P3):

Security policy violations
Suspicious network activity
Failed security controls or monitoring
Minor data exposure incidents
Response time: Within 4 hours

Low (P4):

Security awareness and training issues
Minor configuration vulnerabilities
Routine security maintenance issues
Non-critical security notifications
Response time: Within 24 hours

10. VULNERABILITY MANAGEMENT

10.1 Vulnerability Assessment Program

Regular Assessment Activities:

Weekly automated vulnerability scanning
Monthly manual security assessments
Quarterly penetration testing exercises
Annual comprehensive security audits
Continuous threat and risk assessments

Assessment Scope:

Web applications and APIs
Network infrastructure and devices
Operating systems and applications
Cloud services and configurations
Third-party integrations and services

10.2 Patch Management

Patch Management Process:

Automated patch deployment for critical updates
Regular patch testing and validation procedures
Emergency patching for zero-day vulnerabilities
Patch deployment scheduling and coordination
Patch compliance monitoring and reporting

Patch Priority Framework:

Critical: Deploy within 24 hours
High: Deploy within 7 days
Medium: Deploy within 30 days
Low: Deploy within quarterly maintenance windows

11. THIRD-PARTY SECURITY

11.1 Vendor Security Assessment

Vendor Evaluation Process:

Security questionnaire and assessment
Third-party security certifications verification
Security control testing and validation
Regular vendor security reviews and audits
Contract security requirements and SLAs

Ongoing Vendor Management:

Regular security performance monitoring
Incident notification and response requirements
Security breach notification obligations
Regular vendor security reassessments
Contract security requirement updates

11.2 Supply Chain Security

Supply Chain Risk Management:

Vendor risk assessment and classification
Supply chain security requirements definition
Regular supplier security monitoring
Supply chain incident response procedures
Alternative supplier identification and qualification

12. BUSINESS CONTINUITY AND DISASTER RECOVERY

12.1 Business Continuity Planning

Continuity Framework:

Business impact analysis and risk assessment
Critical business function identification
Recovery time and point objectives definition
Continuity strategy development and implementation
Regular plan testing and validation

Operational Resilience:

Redundant system design and implementation
Geographic distribution of critical services
Alternative processing and service delivery
Staff cross-training and succession planning
Regular resilience testing and exercises

12.2 Disaster Recovery

Recovery Capabilities:

Hot standby systems for critical services
Regular data backup and replication
Disaster recovery site operations
Recovery procedure documentation and testing
Regular recovery time objective (RTO) validation

Recovery Testing:

Monthly backup restoration testing
Quarterly disaster recovery exercises
Annual full-scale disaster simulation
Recovery procedure validation and updates
Staff training and competency assessment

13. SECURITY AWARENESS AND TRAINING

13.1 Security Education Program

Training Requirements:

Annual security awareness training for all staff
Role-specific security training programs
New employee security orientation
Regular security update communications
Specialized security training for technical staff

Training Content:

Phishing and social engineering awareness
Password security and authentication best practices
Data handling and classification procedures
Incident reporting and response procedures
Regulatory compliance requirements

13.2 Security Culture Development

Culture Initiatives:

Regular security communications and updates
Security awareness campaigns and events
Security performance metrics and recognition
Security suggestion and improvement programs
Executive security leadership and messaging

14. COMPLIANCE AND AUDIT

14.1 Regulatory Compliance

Compliance Management:

Regular compliance assessment and monitoring
Regulatory requirement tracking and implementation
Compliance training and awareness programs
Regulatory reporting and notification procedures
External compliance validation and certification

Key Regulations:

UK GDPR and Data Protection Act 2018
PCI DSS payment card industry standards
NIS Regulations network and information security
Financial services security requirements
Industry-specific compliance obligations

14.2 Security Auditing

Internal Audit Program:

Regular internal security audits and assessments
Security control testing and validation
Compliance verification and documentation
Audit finding remediation and tracking
Continuous improvement and optimization

External Audit Requirements:

Annual third-party security assessments
Independent penetration testing and validation
Compliance certification and validation
Regulatory examination and inspection
Customer and partner security audits

15. PRIVACY AND DATA PROTECTION

15.1 Privacy by Design

Privacy Implementation:

Privacy impact assessments for new systems
Data minimization and purpose limitation
Privacy-enhancing technologies deployment
Regular privacy compliance monitoring
Data subject rights management and response

15.2 Data Subject Rights

Rights Management:

Data subject access request procedures
Data portability and export capabilities
Data correction and update mechanisms
Data deletion and erasure procedures
Consent management and tracking systems

16. INTERNATIONAL SECURITY CONSIDERATIONS

16.1 Cross-Border Data Protection

International Compliance:

Adequacy decision compliance for data transfers
Standard contractual clauses implementation
International data transfer impact assessments
Local data residency requirements compliance
Cross-border incident notification procedures

16.2 Global Security Standards

International Alignment:

Multi-jurisdictional regulatory compliance
International security standard implementation
Global security best practice adoption
Cross-border security cooperation and coordination
Cultural and legal consideration integration

17. EMERGING THREATS AND TECHNOLOGIES

17.1 Threat Intelligence

Intelligence Program:

External threat intelligence feed integration
Internal threat research and analysis
Industry threat information sharing
Government security alert monitoring
Threat landscape assessment and reporting

17.2 Emerging Technology Security

Technology Assessment:

Artificial intelligence and machine learning security
Cloud-native security architecture
Zero-trust security model implementation
DevSecOps and secure development practices
Internet of Things (IoT) security considerations

18. SECURITY METRICS AND REPORTING

18.1 Security Performance Metrics

Key Performance Indicators:

Mean time to detection (MTTD) and response (MTTR)
Security incident frequency and severity trends
Vulnerability identification and remediation rates
Security training completion and effectiveness
Compliance assessment scores and improvements

18.2 Security Reporting

Reporting Framework:

Executive security dashboard and scorecards
Regular security posture reports and assessments
Incident summary and trend analysis
Compliance status and certification reports
Security investment and ROI analysis

19. CONTACT INFORMATION

19.1 Security Team Contact

General Security Inquiries:

Email: info@bittenpay.com
Subject: “Security Policy Question”
Response time: Within 24 hours

19.2 Security Incident Reporting

Incident Reporting:

Email: info@bittenpay.com
Subject: “URGENT – Security Incident Report”
Phone: Available for critical incidents
24/7 incident response availability

19.3 Vulnerability Reporting

Responsible Disclosure:

Email: info@bittenpay.com
Subject: “Security Vulnerability Report”
Encrypted communication available
Vulnerability disclosure and coordination

20. POLICY UPDATES

20.1 Regular Review Process

Review Schedule:

Annual comprehensive security policy review
Quarterly threat landscape and control assessment
Immediate updates for significant threats or incidents
Regular regulatory and compliance requirement updates
User feedback and improvement integration

20.2 Change Management

Update Procedures:

Security policy change approval process
Impact assessment and risk evaluation
Stakeholder consultation and feedback
Implementation planning and coordination
Training and awareness for policy changes

21. GOVERNING LAW

This Security Policy is governed by UK law and complies with applicable UK and international security, privacy, and data protection regulations.

22. ACKNOWLEDGMENT

All employees, contractors, and users acknowledge understanding of and agreement to comply with this Security Policy as a condition of system access and platform participation.