Security Policy

Effective Date: 21 February 2025

Introduction

At Southern Crossed Technologies, trading as NextlevelPay ("we," "us," or "our"), we are committed to safeguarding the security and confidentiality of your data. This Security Policy details the measures we take to protect the information entrusted to us through our payment gateway integration services on the GoHighLevel platform, which connects with Paystack and Payfast. Our security practices are designed to ensure the integrity, availability, and confidentiality of your data while adhering to industry standards and best practices.

While we do not store sensitive payment information such as credit card details, we handle other sensitive data, including API keys and OAuth tokens, which require stringent protection. This policy outlines our approach to data security, access control, vulnerability management, and more.

1. Data Encryption

We employ robust encryption methods to protect your data:

- Data at Rest: All data stored on our servers, including OAuth tokens and transaction records, is encrypted using industry-standard encryption methods (e.g., AES-256). We rely on Google Cloud for data storage, which provides encryption at rest as part of its compliance offerings. For more details, see Google Cloud Compliance.

- Data in Transit: All data transmitted between your systems, our services, and third-party platforms is secured using TLS 1.2 or higher, ensuring that information remains confidential and protected from interception.

2. Access Control

Access to sensitive data and systems is strictly controlled:

- Role-Based Access Control (RBAC): We implement RBAC to ensure that only authorized personnel have access to specific data and systems based on their job responsibilities.

- Multi-Factor Authentication (MFA): MFA is enforced for all administrative and privileged accounts to add an extra layer of security.

- Credential Management: API keys, OAuth tokens, and other credentials are stored securely using encrypted vaults. Access to these credentials is restricted to their owners and authorized personnel only.

3. Vulnerability Management

We proactively manage security vulnerabilities to protect our services:

- Regular Security Audits: We conduct periodic security audits and penetration testing to identify and address potential weaknesses in our systems.

- Patch Management: We maintain a rigorous patching schedule for all software, dependencies, and systems to ensure that known vulnerabilities are promptly addressed.

- Secure Development Practices: Our development team follows secure coding practices, including regular code reviews and static analysis, to minimize the risk of introducing vulnerabilities.

4. Monitoring and Incident Response

We maintain continuous monitoring and a structured response plan for security incidents:

- Monitoring: We use Sentry (Sentry Security) to monitor application errors, performance issues, and potential security anomalies. Additionally, we employ security information and event management (SIEM) tools to detect suspicious activity.

- Incident Response: Our dedicated security team follows a predefined incident response plan to quickly identify, contain, and mitigate security incidents. We also conduct post-incident reviews to improve our processes.

- User Notifications: In the event of a security breach that affects your data, we will notify you promptly, in accordance with legal requirements.

5. Compliance

While we do not directly handle payment card data, we ensure our security practices align with industry standards:

- PCI-DSS Alignment: Although we do not store cardholder data, we follow best practices inspired by the Payment Card Industry Data Security Standard (PCI-DSS) for secure software development and data handling.

- POPIA Compliance: We adhere to the Protection of Personal Information Act (POPIA) in South Africa, ensuring that personal data is processed lawfully and securely.

- Third-Party Compliance: We rely on third-party services like Paystack, Payfast, and GoHighLevel, which maintain their own compliance certifications. For details, see Paystack Compliance, Payfast Compliance, and GoHighLevel Privacy and Security.

6. Physical Security

As a cloud-based service, we do not maintain physical servers. However, our cloud provider, Google Cloud, ensures robust physical security for its data centers, including:

- 24/7 monitoring and surveillance.

- Restricted access to data centers.

- Environmental controls to protect hardware.

For more information, refer to Google Cloud Physical Security.

7. Third-Party Security

We carefully manage security risks associated with third-party integrations:

- Vendor Vetting: We assess the security practices of third-party services, including Paystack, Payfast, and GoHighLevel, to ensure they meet our security standards.

- Secure Integrations: Our integrations with these platforms are designed to minimize data exposure, using secure API calls and scoped OAuth tokens to limit access.

8. Employee Training and Awareness

Human error is a significant security risk, so we prioritize security education:

- Security Training: All employees undergo regular security awareness training to understand best practices, recognize phishing attempts, and handle sensitive data appropriately.

- Internal Policies: We enforce strict internal security policies, including password management, secure communication, and incident reporting.

9. Ongoing Commitment to Security

Security is an ongoing priority at NextlevelPay. We continuously review and update our security practices to address emerging threats and adapt to changes in technology. Our security team regularly evaluates our policies, conducts risk assessments, and implements improvements to maintain the highest level of protection for your data.

10. Contact Us

If you have any questions or concerns about our security practices, please contact us at:

[[email protected]]

By using NextlevelPay, you acknowledge our commitment to maintaining robust security measures as outlined in this Security Policy.