Information Security, Confidentiality & Privacy Policies
Effective Date: July 2026
Last Updated: July 2026
Jurisdiction: Federal Republic of Nigeria
Document Version: 1.0
Formal policy for regulatory and vendor security questionnaires. See also our Privacy Policy, Security Overview, and Compliance Policy.
1.1 Confidentiality Enforcement Procedure
FidemIt maintains documented procedures for enforcing confidentiality and privacy rules:
- Policy framework — Acceptable Use, Information Security, Privacy, and Access Control policies define confidentiality obligations.
- Access restrictions — Role-based access; personnel receive only the access required for their role.
- Data handling rules — Sensitive data must not be copied to personal storage, personal email, or unapproved messaging channels.
- Incident reporting — Suspected data exposure or privacy violations must be reported to security@fidemit.com.
- Enforcement — Violations may result in access restriction, suspension, contract termination, or legal action.
- Annual acknowledgement — Personnel acknowledge confidentiality obligations at onboarding and annually.
1.2 Employee Confidentiality of Information
Information obtained by employees while discharging their responsibilities is kept confidential through:
| Control | How It Is Managed |
|---|---|
| Need-to-know access | Admin, support, and engineering roles scoped to job function |
| Unique credentials | Individual accounts; shared credentials prohibited |
| Activity logging | User and security-relevant actions logged via activity log service |
| Secure communications | Internal systems for operational communication; no customer PII in unapproved channels |
| Offboarding | Access revoked upon role change, resignation, or termination |
| Privacy Policy | Public-facing policy at /privacy |
| NDPA compliance | Personal data handled per Nigeria Data Protection Act requirements |
1.3 Security Procedures for Information Safety
- Encryption in transit (HTTPS/TLS) for all public-facing applications
- JWT-based API authentication with role-based authorization
- Security headers on Next.js and API responses
- Webhook signature validation (Paystack HMAC, VFD authorization)
- Login throttling and reCAPTCHA on authentication endpoints
- KYC document access restricted to authorized admin roles
- Incident response, backup, and recovery procedures documented
- OWASP-aligned vulnerability assessment and penetration testing (VAPT)
2.1 Cloud vs On-Premises
FidemIt hosts data on cloud infrastructure. The company does not operate on-premises data centers or physical server rooms.
| Component | Hosting Model |
|---|---|
| Application (API) | Cloud VPS — Laravel API on managed cloud servers |
| Application (Web/App) | Cloud VPS — Next.js on managed cloud servers |
| Database | Cloud VPS — MySQL on managed cloud infrastructure |
| Media / file storage | Cloud — Cloudinary for user-uploaded images and documents |
| Payment processing | Third-party cloud — Paystack / VFD (card data not stored on FidemIt systems) |
2.2 Cloud Infrastructure Access Controls
Physical server room controls are not applicable. Access is controlled through:
- SSH key-only authentication (password login disabled)
- Firewall (UFW) restricting public ports
- Fail2ban for brute-force protection
- Nginx reverse proxy; application ports not publicly exposed
- MySQL not publicly accessible
- Secrets and credentials stored outside source control
- Periodic server security monitoring (firewall, SSL, disk, service health)
- Privileged access limited to authorized engineering personnel
3.1 User Authentication
| Method | Status |
|---|---|
| Unique username/email credentials | Required for all users |
| Password authentication | Required |
| Two-Factor Authentication (2FA) | Supported (TOTP); optional for users, recommended for admin |
| Single Sign-On (SSO) | Not currently supported |
| reCAPTCHA | Enabled on login flows |
| API throttling | Enabled on login and verification endpoints |
2FA is supported but not mandatory for all users. Admin and privileged accounts should enable 2FA.
3.2 Application Security Standards (OWASP)
FidemIt follows industry best practices aligned with the OWASP Top 10 and OWASP Web Security Testing Guide:
- OWASP VAPT runner and runbook in the security governance pack
- Local VAPT assessment conducted (May 2026) with retest confirming remediation
- Secure authentication, authorization middleware, input validation, and error handling
- Security headers (CSP, HSTS, X-Frame-Options) on frontend routes
- CORS restricted to trusted origins
- Webhook signature validation
- Credentialed VAPT test plan for authenticated attack surface coverage
FidemIt does not store, process, or transmit cardholder data (CHD) on its own systems.
All card payments are handled by PCI-DSS compliant third-party payment processors (Paystack and/or VFD). Card details are entered directly on the payment processor's secure interface; FidemIt receives only transaction tokens, references, and status notifications via signed webhooks.
- FidemIt operates as a merchant using a validated third-party service provider
- FidemIt is not a direct PCI-DSS merchant storing cardholder data
- PCI-DSS compliance documentation for card processing should be obtained from the payment processor
5.1 Security Policies
| Policy | Status |
|---|---|
| IT / Cybersecurity Policy | Documented |
| Acceptable Use Policy | Documented |
| Access Control Policy | Documented |
| Incident Response Policy | Documented |
| Risk Management Policy | Documented |
| Security Awareness Policy | Documented |
| Backup & Recovery Policy | Documented |
Policies are approved by the Founder & Sole Director and communicated to personnel at onboarding and annually.
5.2 Security Awareness
- Acceptable Use Policy documented and communicated at onboarding
- Security awareness training required at onboarding and annually
- Role-specific training for engineering (secure coding, incident reporting)
- Training records retained for audit purposes
5.3 Security Risk Management
- IT/cyber risk assessment conducted at least annually
- OWASP VAPT performed with documented findings and remediation
- Risk register maintained with owners, due dates, and status
- High-risk findings escalated to management
- Latest assessment: OWASP VAPT Local Assessment, May 2026 (with retest)
6.1 Unique User Identities
All users are assigned unique IDs and individual credentials (unique username, email, phone).
6.2 Account Lifecycle
- Accounts suspended or blocked upon policy violation
- Access revoked on resignation, termination, or role change
- Inactive accounts reviewed periodically
- Periodic access reviews conducted for governance
6.3 Activity Logging
User activities and security-relevant events are tracked and logged through the activity log system, including authentication events and material user actions.
7.1 Antivirus / Antimalware
Company-managed endpoints used to access FidemIt systems should run approved antivirus or antimalware protection with real-time scanning and automatic updates.
7.2 Web Traffic Filtering
Internet-facing applications are protected through:
- Application-layer controls: reCAPTCHA, API throttling, security headers
- Server-layer controls: Nginx reverse proxy, firewall, Fail2ban
- Edge/WAF deployment: recommended for production hardening where not yet deployed
8.1 Background Checks
Background checks are conducted for personnel with access to IT systems and customer data prior to granting access, commensurate with role sensitivity.
8.2 Vendor / Contractor Monitoring
Vendor and contractor personnel working on FidemIt systems must:
- Sign confidentiality and acceptable use acknowledgements
- Receive scoped, time-limited access credentials
- Work under supervision of FidemIt engineering leadership
- Have access revoked upon contract completion
Contact
- Security: security@fidemit.com
- Privacy / Compliance: compliance@fidemit.com
- Support: support@fidemit.com