← Back to Legal Center

Information Security Policy

Introduction

This Information Security Policy outlines the security measures and practices implemented by Figo Boost Inc. ("Figo") to protect the confidentiality, integrity, and availability of information and systems.

Scope

This policy applies to:

  • All Figo employees, contractors, and third-party service providers
  • All information systems, networks, and data owned or managed by Figo
  • All customer and transaction data processed through our platform

Information Security Objectives

  • Confidentiality: Ensure that information is accessible only to authorized individuals
  • Integrity: Maintain the accuracy and completeness of information
  • Availability: Ensure that authorized users have access to information when needed
  • Compliance: Meet all applicable legal and regulatory requirements

Data Classification

Highly Confidential

  • Customer personal identification information (PII)
  • Financial account information
  • Cryptographic keys and wallet credentials
  • Authentication credentials

Confidential

  • Transaction records
  • Business contracts and agreements
  • Internal operational data

Access Control

User Access Management

  • Access is granted based on the principle of least privilege
  • User accounts are created only after proper authorization
  • Access rights are reviewed quarterly
  • Terminated employee access is revoked immediately

Authentication

  • Multi-factor authentication (MFA) is required for all system access
  • Strong password policies are enforced
  • Session timeouts are implemented
  • Failed login attempts are monitored and limited

Data Protection

Encryption

  • Data in Transit: All data transmitted over networks is encrypted using TLS 1.3 or higher
  • Data at Rest: Sensitive data stored in databases and file systems is encrypted using AES-256
  • Cryptographic Keys: Keys are stored in hardware security modules (HSMs) or secure key management systems

Data Backup and Recovery

  • Regular automated backups are performed daily
  • Backups are encrypted and stored in geographically distributed locations
  • Backup restoration procedures are tested quarterly
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours

Network Security

  • Firewalls protect all network perimeters
  • Intrusion detection and prevention systems (IDS/IPS) are deployed
  • Network segmentation isolates sensitive systems
  • Regular vulnerability scanning and penetration testing
  • DDoS protection mechanisms are in place

Incident Response

Incident Detection

  • 24/7 security monitoring and alerting
  • Security Information and Event Management (SIEM) system
  • Automated threat detection

Incident Response Process

  • Identification: Detect and confirm security incidents
  • Containment: Isolate affected systems to prevent spread
  • Eradication: Remove the threat from the environment
  • Recovery: Restore systems to normal operation
  • Lessons Learned: Document and improve security measures

Notification

In the event of a data breach affecting customer information:

  • Affected customers will be notified within 72 hours
  • Regulatory authorities will be notified as required by law
  • Incident details and remediation steps will be communicated

Compliance and Auditing

  • Regular internal security audits
  • Annual third-party security assessments
  • Compliance with PCI DSS, SOC 2, and other relevant standards
  • Security logs retained for a minimum of 1 year

Reporting Security Concerns

If you discover a security vulnerability or have concerns about our security practices, please report them immediately to: security@spendfigo.com

Contact Information

For questions about this policy, contact us at: hi@spendfigo.com