Jump to main content

Cybersecurity Policy

Introduction

At Nubank, we develop simple, secure, and 100% digital solutions for you to have control of your money literally in your hands. We value our customers and understand how important cybersecurity is to enable them to enjoy our services with peace of mind.

We apply the defense-in-depth strategy through the implementation of more than one layer of security, with the aim of mitigating the possible compromise of one of the layers of defense.

The security of your information is in our DNA, and we provide here a summary of our Cybersecurity Policy ("Policy") so that you can learn more about our guidelines for protecting your data.

Scope

Nubank Group companies (henceforth "Nubank”) and all their staff, consultants, third parties, suppliers, and partners are subject to this policy, if they access, store, process or transmit information belonging to, or under the custody of Nubank.

Objective

  1. Maintain the confidentiality, integrity and availability of information belonging to, or under the custody of Nubank;
  2. Establish measures for the protection of the infrastructure that supports business services and activities;
  3. Prevent, detect and reduce vulnerability to incidents related to the cyber environment.

Information Security Principles

Confidentiality: ensure that information is made available or disclosed only to authorized individuals, entities or processes;

Integrity: ensure that the information is accurate, complete and protected from undue, intentional or accidental changes;

Availability: ensure that information is accessible and usable upon demand by authorized individuals, entities or processes.

Guidelines

  • Access to systems, resources and other information assets must be granted based on:
  • Business need;
  • The least privilege principle; and
  • Segregation of duties;
  • Accesses must be managed through a life cycle from creation to deactivation, including periodic reviews for accuracy and suitability;
  • Password composition must follow complexity requirements and be unique. They must not be reused, shared, stored in files or written anywhere.
  • Logs and audit trails must be enabled in production environments, protected from unauthorized access and changes and record:
  • What activity was performed;
  • Who performed the activity;
  • When the activity was performed;
  • On what the activity was performed;
  • Cryptographic algorithms should be applied as needed on data at rest, in transit and/or in use;
  • Tools and processes that aims to prevent sensitive information from leaving an organization's internal environment without authorization must be in place;
  • Solutions and/or processes that combined allow the prevention, detection, and identification of attacks on Nubank's infrastructure components must be in place;
  • A vulnerability management process to support the management of vulnerabilities lifecycle, from identification to remediation, including guidelines for documentation, reporting and disclosure must be in place;
  • Anti-malware detection, prevention, and recovery software solutions or equivalent controls must be in place to safeguard Nubank's environment.
  • Information assets deemed critical or that store and/or process sensitive information, must be restricted to segregated areas of the network with appropriate access controls;
  • Production databases must have sufficient backups to restore systems and services to function in the event of a data loss or service interruption;
  • During the software development lifecycle, security requirements must be applied to ensure the confidentiality, integrity and availability of the information;
  • A security assessment must be carried out before the implementation of any new technology, tool or solution in production;
  • The procedures and controls aimed at preventing, treating, and reducing Nubank's vulnerability to cybersecurity incidents, in addition to guidelines for recording, analyzing cause and impact, and assessing the relevance of incidents, must be in place;
  • Information must be classified to assist in the consistent mapping of the information assets and to establish the level of protection that must be applied in its storage, transmission, and use;
  • The Business Continuity Plan (BCP) aims to ensure that, in a crisis, the essential and critical processes are properly maintained, thus preserving the continuity of critical business functions, operations and services. The BCP must be tested annually.
  • Awareness training must be mandatory and carried out annually, presenting the information security principles to help employees recognize risky situations and act correctly;
  • The consumption and sharing of incident and threat information with other local and global institutions must be done through secure channels;
  • Nubank's Cybersecurity Policy must be reviewed at least annually.

Security Recommendations for Customers

  • Create complex passwords and do not use your personal data or information in the composition (e.g. date of birth or names of family members). Give preference to passwords composed of at least 4 random words.
  • Change your password whenever there is any indication or suspicion of a leak, or compromise of your credentials;
  • Avoid using the same password in more than one service, if possible use a password manager for storing and managing credentials;
  • Your password is personal and non-transferable, so do not share it or write it down in places that other people have easy access to (e.g. notebooks and notepads);
  • If possible, enable two-factor authentication (e.g. biometrics or SMS);
  • Avoid accessing banking websites and applications or carrying out transactions on third party, public (e.g. internet cafe) or untrusted devices (computers, mobile phones and tablets). The same goes for public wireless (Wi-Fi) networks;
  • Keep your devices with operating systems and applications updated;
  • Consider installing an antivirus solution on your computer and keep it updated;
  • Avoid opening emails whose sender or content is unknown;
  • Do not click on links provided in e-mails or suspicious and/or unknown SMS messages;
  • Do not download or run attachments in suspicious emails (e.g. with grammatical errors or urgency);
  • Never share personal, corporate or financial data on phone calls, or messages received from strangers. The same goes for suspicious websites, always make sure the website you are accessing is the correct one;
  • Lock the device used to access banking websites and applications when you are not using it;
  • Avoid lending your cell phone to strangers;
  • Always keep at least a backup copy of important data;