Versão Português | Versión Español
At Nubank, we develop simple, secure, and 100% digital solutions so you can have control over your money. We value our customers and understand how important cybersecurity is for them to enjoy our services with peace of mind.
We apply a defense-in-depth strategy, implementing multiple layers of security to mitigate the potential compromise of any individual layer.
The security of your information is in our DNA and we provide here a summary of our Cybersecurity Policy ("Policy") so that you can learn a little more about our guidelines for protecting your data.
The companies of the Nubank Group ("Nubank") and all of their employees, consultants, third parties, suppliers and partners are subject to the Policy if they access, store, process or transmit information belonging to, or under the custody of, Nubank.
1. Maintain the confidentiality, integrity and availability of information owned or held by Nubank;
2. Establish measures to protect the infrastructure that supports business services and activities;
3. Prevent, detect and reduce vulnerability to incidents related to the cyber environment.
Confidentiality:ensure that information is made available or disclosed only to authorized individuals, entities or processes;
Integrity:ensure that the information is accurate, complete and protected from undue, intentional or accidental alteration;
Availability:ensure that information is accessible and usable on demand by authorized individuals, entities or processes.
Security at Nubank is managed by a robust governance structure, based on the international Three Lines of Defense model. This structure, headed by executive leadership, ensures a clear segregation between operational execution, risk and compliance oversight, and independent auditing. This model ensures that security responsibilities are implemented and monitored across the board, guaranteeing commitment from all levels of the organization to the protection of data and assets.
Access to systems, resources, and other information assets must be granted through valid authentication and based on:
Business need;
The principle of least privilege; and
Segregation of duties;
Access should be managed through a lifecycle from creation to deactivation, including periodic reviews for accuracy and suitability;
Passwords must meet minimum complexity requirements and be unique. Passwords should not be reused, shared, stored in files, or written down anywhere.
Logs and audit trails should be enabled in production environments, protected from unauthorized access and changes, and should record:
What activity was performed?
Who performed the activity?
When the activity was performed;
What was the activity performed on?
Cryptographic algorithms should be applied as needed to data at rest, in transit, and/or in use;
Tools and processes to monitor and prevent sensitive information from leaving an organization's internal environment without authorization must be implemented;
TState-of-the-art encryption technologies should be used and constantly updated to protect data against new forms of cyberattacks;
PSecurity practices should be integrated into all phases of the product development lifecycle, from conception to implementation. This includes architecture reviews, code analysis, and continuous security testing to ensure our products are built secure..
A vulnerability lifecycle management process, from identification to remediation, including guidelines for documentation, reporting, and disclosure, must be implemented;
Anti-malware software solutions for detection, prevention, and recovery, or equivalent controls, must be implemented to protect the Nubank environment.
Information assets considered critical, which store and/or process sensitive information, should be restricted to segregated areas of the network with appropriate access control;
In addition to digital security, we have adopted strict physical access controls to the locations where data is processed and stored;
The use of Artificial Intelligence tools must follow governance models and best market practices to ensure the ethical, safe, and responsible development and use of the technology.
Production databases must have sufficient backups to restore system functionality in the event of data loss or service interruption.
A security assessment should be conducted before implementing any new technology, tool, or solution into production.
Cloud services and solutions must adhere to strict standards for configuration and data protection;
ASecurity assessments of our critical partners and suppliers must be carried out to ensure they maintain a level of security consistent with our standards, extending security throughout our supply chain;
We maintain our payment infrastructure and processes in compliance with PCI DSS (Payment Card Industry Data Security Standard), ensuring that our customers' card data is processed, stored, and transmitted according to the strictest global security standards in the card industry. The certificate of compliance can be requested through our customer service channels.
Information should be classified to assist in the consistent mapping of information assets and to establish the appropriate level of protection for their storage, transmission, and use;
The Business Continuity Plan (BCP) aims to ensure that, in a crisis situation, essential and critical processes are properly maintained, thus preserving the continuity of business functions, operations, and critical services. The BCP should be tested annually.
Awareness training should be mandatory and conducted annually, presenting the principles of information security to help employees recognize risky situations and act correctly;
In cases of loss, theft, or robbery of devices with access to Nubank systems, we adopt immediate response protocols to block access and remotely wipe sensitive data, preventing any misuse of information.
A continuous monitoring process and a structured incident response plan are implemented to identify, contain, mitigate, and remediate cyber threats in an agile manner. This involves implementing procedures and controls to prevent and address vulnerabilities, as well as guidelines for recording, analyzing root causes and impacts, and assessing the relevance of cybersecurity incidents. In the event of incidents with a significant impact on customers, communication will be transparent, providing the necessary guidance.
The consumption and sharing of incident and threat information with other local and global institutions should be done through secure channels;
Nubank's Cybersecurity Policy should be reviewed at least annually.
Create complex passwords and do not use your personal data or information in their composition (e.g., date of birth or family names). Prefer passwords composed of at least four random words.
Change your password whenever there is any indication or suspicion of a leak or compromise of your credentials;
Avoid using the same password for more than one service; if possible, use a password manager for storing and managing credentials.
Your password is personal and non-transferable, so do not share it or write it down in places where other people have easy access (e.g., notebooks and notepads);
If possible, enable a second authentication factor (e.g., biometrics or multi-factor authentication - MFA);
Enable "Street Mode" in the Nubank app to protect your investments.
Avoid accessing banking websites and apps or conducting transactions on third-party, public (e.g., internet cafe) or untrusted devices (computers, cell phones, and tablets). The same applies to public wireless (Wi-Fi) networks.
Keep your devices updated with the latest operating systems and applications;
Try installing an antivirus solution on your computer and keep it updated;
Avoid opening emails from unknown senders or with unknown content;
Do not click on links provided in suspicious and/or unknown emails or SMS messages;
Do not download or run attachments from suspicious emails (e.g., those with grammatical errors or an urgent tone);
Never provide personal, corporate, or financial information over calls or messages received from unknown individuals. The same applies to suspicious websites; always verify that the website you are accessing is genuine.
Lock the device used to access banking websites and apps when you are not using it;
Avoid lending your cell phone to strangers;
Always keep at least one backup copy of important data.