Versão Português | Versión Español
Introduction
At Nubank, we develop simple, secure, and 100% digital solutions so you can have control over your money. We value our customers and understand how important cybersecurity is for them to enjoy our services with peace of mind.
We apply a defense-in-depth strategy, implementing multiple layers of security to mitigate the potential compromise of any individual layer.
The security of your information is in our DNA and we provide here a summary of our Cybersecurity Policy ("Policy") so that you can learn a little more about our guidelines for protecting your data.
Scope
The companies of the Nubank Group ("Nubank") and all of their employees, consultants, third parties, suppliers and partners are subject to the Policy if they access, store, process or transmit information belonging to, or under the custody of, Nubank.
Objective
1. Maintain the confidentiality, integrity and availability of information owned or held by Nubank;
2. Establish measures to protect the infrastructure that supports business services and activities;
3. Prevent, detect and reduce vulnerability to incidents related to the cyber environment.
Information Security Principles
Confidentiality:ensure that information is made available or disclosed only to authorized individuals, entities or processes;
Integrity:ensure that the information is accurate, complete and protected from undue, intentional or accidental alteration;
Availability:ensure that information is accessible and usable on demand by authorized individuals, entities or processes.
Governance and Accountability
Security at Nubank is managed by a robust governance structure, led by an executive and supported by specialized teams.This framework ensures that security responsibilities are clearly defined, implemented, and monitored throughout the organization, ensuring that all levels of the company are committed to the security of their data.
Guidelines
- Access to systems, resources and other information assets must be granted through valid authentication and based on:
- Access must be managed through a lifecycle from creation to deactivation, including periodic reviews for accuracy and adequacy;
- Passwords must meet minimum complexity requirements and be unique. Passwords should not be reused, shared, stored in files, or written down anywhere.
- Logs and audit trails must be enabled in production environments, protected from unauthorized access and changes, and record:
- Tools and processes to monitor and prevent sensitive information from leaving an organization's internal environment without authorization must be implemented;
- Security practices must be integrated into all phases of the product development lifecycle, from conception to implementation. This includes architectural reviews, code reviews, and continuous security testing to ensure our products are secure from the start..
- A vulnerability lifecycle management process, from identification to remediation, including guidelines for documentation, reporting, and disclosure, must be in place;
- Anti-malware detection, prevention, and recovery software solutions or equivalent controls must be implemented to protect the Nubank environment.
- Information assets considered critical, which store and/or process sensitive information, must be restricted to segregated areas of the network, with appropriate access control;
- Production databases must have sufficient backups to restore systems to operation in the event of data loss or service interruption;
- A security assessment must be performed before implementing any new technology, tool or solution into production;
- ASecurity assessments of our critical partners and suppliers must be carried out to ensure that they maintain a level of security compatible with our standards, extending security throughout our supply chain;
- Information should be classified to assist in the consistent mapping of information assets and establish the appropriate level of protection in its storage, transmission, and use;
- The Business Continuity Plan (BCP) aims to ensure that, in a crisis situation, essential and critical processes are properly maintained, thus preserving the continuity of business functions, operations, and critical services. The BCP must be tested annually.
- Awareness training should be mandatory and conducted annually, presenting information security principles to help employees recognize risk situations and act correctly;
- A continuous monitoring process and a structured incident response plan to quickly identify, contain, mitigate, and remediate cyber threats. To this end, procedures and controls are implemented to prevent and address vulnerabilities, as well as guidelines for recording, analyzing the cause and impact, and assessing the relevance of cybersecurity incidents. In the event of incidents with a significant impact on customers, communication will be transparent, with the provision of necessary guidance.
- Consumption and sharing of incident and threat information with other local and global institutions must be done through secure channels;
- Nubank's Cybersecurity Policy must be reviewed at least annually.
Security Recommendations for Customers
- Create complex passwords and don't use your personal information (e.g., date of birth or family members' names). Choose passwords made up of at least four random words.
- Change your password whenever there is any indication or suspicion of a leak or compromise of your credentials;
- Avoid using the same password in more than one service, if possible use a password manager to store and manage credentials;
- Your password is personal and non-transferable, so do not share it or write it down in places where other people have easy access (e.g., notebooks and notepads);
- If possible, enable a second authentication factor (e.g., biometrics or multi-factor authentication - MFA);
- Avoid accessing banking websites and apps or making transactions on third-party, public (e.g., internet cafes), or untrusted devices (computers, cell phones, and tablets). The same applies to public wireless networks (Wi-Fi).
- Keep your devices' operating systems and applications up to date;
- Try installing an antivirus solution on your computer and keep it updated;
- Avoid opening emails whose sender or content is unknown;
- Do not click on links provided in suspicious and/or unknown emails or SMS messages;
- Do not download or run files attached to suspicious emails (e.g., with grammatical errors or an urgent tone);
- Never provide personal, corporate, or financial information in calls or messages received from unknown people. The same goes for suspicious websites; always verify that the site you're visiting is genuine;
- Lock the device used to access banking websites and apps when you are not using it;
- Avoid lending your cell phone to strangers;
- Always keep at least one backup of important data.