Information Security, Confidentiality & Privacy Policies

Effective Date: July 2026

Last Updated: July 2026

Jurisdiction: Federal Republic of Nigeria

Document Version: 1.0

Formal policy for regulatory and vendor security questionnaires. See also our Privacy Policy, Security Overview, and Compliance Policy.

1.1 Confidentiality Enforcement Procedure

FidemIt maintains documented procedures for enforcing confidentiality and privacy rules:

  1. Policy framework — Acceptable Use, Information Security, Privacy, and Access Control policies define confidentiality obligations.
  2. Access restrictions — Role-based access; personnel receive only the access required for their role.
  3. Data handling rules — Sensitive data must not be copied to personal storage, personal email, or unapproved messaging channels.
  4. Incident reporting — Suspected data exposure or privacy violations must be reported to security@fidemit.com.
  5. Enforcement — Violations may result in access restriction, suspension, contract termination, or legal action.
  6. Annual acknowledgement — Personnel acknowledge confidentiality obligations at onboarding and annually.
1.2 Employee Confidentiality of Information

Information obtained by employees while discharging their responsibilities is kept confidential through:

ControlHow It Is Managed
Need-to-know accessAdmin, support, and engineering roles scoped to job function
Unique credentialsIndividual accounts; shared credentials prohibited
Activity loggingUser and security-relevant actions logged via activity log service
Secure communicationsInternal systems for operational communication; no customer PII in unapproved channels
OffboardingAccess revoked upon role change, resignation, or termination
Privacy PolicyPublic-facing policy at /privacy
NDPA compliancePersonal data handled per Nigeria Data Protection Act requirements
1.3 Security Procedures for Information Safety
  • Encryption in transit (HTTPS/TLS) for all public-facing applications
  • JWT-based API authentication with role-based authorization
  • Security headers on Next.js and API responses
  • Webhook signature validation (Paystack HMAC, VFD authorization)
  • Login throttling and reCAPTCHA on authentication endpoints
  • KYC document access restricted to authorized admin roles
  • Incident response, backup, and recovery procedures documented
  • OWASP-aligned vulnerability assessment and penetration testing (VAPT)

2.1 Cloud vs On-Premises

FidemIt hosts data on cloud infrastructure. The company does not operate on-premises data centers or physical server rooms.

ComponentHosting Model
Application (API)Cloud VPS — Laravel API on managed cloud servers
Application (Web/App)Cloud VPS — Next.js on managed cloud servers
DatabaseCloud VPS — MySQL on managed cloud infrastructure
Media / file storageCloud — Cloudinary for user-uploaded images and documents
Payment processingThird-party cloud — Paystack / VFD (card data not stored on FidemIt systems)
2.2 Cloud Infrastructure Access Controls

Physical server room controls are not applicable. Access is controlled through:

  • SSH key-only authentication (password login disabled)
  • Firewall (UFW) restricting public ports
  • Fail2ban for brute-force protection
  • Nginx reverse proxy; application ports not publicly exposed
  • MySQL not publicly accessible
  • Secrets and credentials stored outside source control
  • Periodic server security monitoring (firewall, SSL, disk, service health)
  • Privileged access limited to authorized engineering personnel

3.1 User Authentication
MethodStatus
Unique username/email credentialsRequired for all users
Password authenticationRequired
Two-Factor Authentication (2FA)Supported (TOTP); optional for users, recommended for admin
Single Sign-On (SSO)Not currently supported
reCAPTCHAEnabled on login flows
API throttlingEnabled on login and verification endpoints

2FA is supported but not mandatory for all users. Admin and privileged accounts should enable 2FA.

3.2 Application Security Standards (OWASP)

FidemIt follows industry best practices aligned with the OWASP Top 10 and OWASP Web Security Testing Guide:

  • OWASP VAPT runner and runbook in the security governance pack
  • Local VAPT assessment conducted (May 2026) with retest confirming remediation
  • Secure authentication, authorization middleware, input validation, and error handling
  • Security headers (CSP, HSTS, X-Frame-Options) on frontend routes
  • CORS restricted to trusted origins
  • Webhook signature validation
  • Credentialed VAPT test plan for authenticated attack surface coverage

FidemIt does not store, process, or transmit cardholder data (CHD) on its own systems.

All card payments are handled by PCI-DSS compliant third-party payment processors (Paystack and/or VFD). Card details are entered directly on the payment processor's secure interface; FidemIt receives only transaction tokens, references, and status notifications via signed webhooks.

  • FidemIt operates as a merchant using a validated third-party service provider
  • FidemIt is not a direct PCI-DSS merchant storing cardholder data
  • PCI-DSS compliance documentation for card processing should be obtained from the payment processor

5.1 Security Policies
PolicyStatus
IT / Cybersecurity PolicyDocumented
Acceptable Use PolicyDocumented
Access Control PolicyDocumented
Incident Response PolicyDocumented
Risk Management PolicyDocumented
Security Awareness PolicyDocumented
Backup & Recovery PolicyDocumented

Policies are approved by the Founder & Sole Director and communicated to personnel at onboarding and annually.

5.2 Security Awareness
  • Acceptable Use Policy documented and communicated at onboarding
  • Security awareness training required at onboarding and annually
  • Role-specific training for engineering (secure coding, incident reporting)
  • Training records retained for audit purposes
5.3 Security Risk Management
  • IT/cyber risk assessment conducted at least annually
  • OWASP VAPT performed with documented findings and remediation
  • Risk register maintained with owners, due dates, and status
  • High-risk findings escalated to management
  • Latest assessment: OWASP VAPT Local Assessment, May 2026 (with retest)

6.1 Unique User Identities

All users are assigned unique IDs and individual credentials (unique username, email, phone).

6.2 Account Lifecycle
  • Accounts suspended or blocked upon policy violation
  • Access revoked on resignation, termination, or role change
  • Inactive accounts reviewed periodically
  • Periodic access reviews conducted for governance
6.3 Activity Logging

User activities and security-relevant events are tracked and logged through the activity log system, including authentication events and material user actions.

7.1 Antivirus / Antimalware

Company-managed endpoints used to access FidemIt systems should run approved antivirus or antimalware protection with real-time scanning and automatic updates.

7.2 Web Traffic Filtering

Internet-facing applications are protected through:

  • Application-layer controls: reCAPTCHA, API throttling, security headers
  • Server-layer controls: Nginx reverse proxy, firewall, Fail2ban
  • Edge/WAF deployment: recommended for production hardening where not yet deployed

8.1 Background Checks

Background checks are conducted for personnel with access to IT systems and customer data prior to granting access, commensurate with role sensitivity.

8.2 Vendor / Contractor Monitoring

Vendor and contractor personnel working on FidemIt systems must:

  • Sign confidentiality and acceptable use acknowledgements
  • Receive scoped, time-limited access credentials
  • Work under supervision of FidemIt engineering leadership
  • Have access revoked upon contract completion
Contact
  • Security: security@fidemit.com
  • Privacy / Compliance: compliance@fidemit.com
  • Support: support@fidemit.com