Information Security Notice
The protection of customer confidential information is an essential element of the trust between Bettr, our customers, our third-party providers and stakeholders. We all have a part to play in the confidentiality, availability and integrity of information in accordance with its sensitivity and classification.
This notice outlines Bettr’s approach to Information Security, how we develop and maintain the security of our products, services and infrastructure, how we gain insights into key third-party technologies and your role in ensuring the security of your information.
Our commitment to information security
In conjunction with our partners, Bettr strives to:
- Classify and appropriately manage all information (especially our customers’ personal and financial information),
- Comply with the relevant standards and regulations governing the financial service and banking industry,
- Continuously assess, evaluate, and improve our information security processes, practices and controls in relation to leading standards (including ISO27000, NIST Cybersecurity Framework and the PCI Data Security Standard),
- Leverage reliable and trusted vendors, technologies, and tools to efficiently develop, maintain and monitor the security of Bettr’s applications, infrastructure and information assets,
- Build a collaborative and dynamic team fostering a culture of shared responsibility for information security where everyone plays their part (including you) in identifying, reporting, and remediating information security threats and vulnerabilities, and
- To listen to and learn from all stakeholders that raise concerns related to information security.
Our information security responsibilities
We will do our best to ensure that:
- Our website, mobile banking app and connections to our backend servers and third-party services are secure and regularly tested to identify and remediate any new threats and vulnerabilities.
- We carefully select and work with our third-party service and technology providers in a shared responsibility model to ensure the privacy and security of customer and confidential information.
- Data is protected in accordance with its classification through the implementation of appropriate controls including, but not limited to, the encryption of data and restricting access to sensitive information.
- We take reasonable steps to secure your payment information and use a payment system that is sufficiently secure by industry standards at the time of the transaction and the type of the transaction concerned.
- Our critical applications and systems are resilient to unforeseen disruptions through the use of leading technologies and high availability solutions. In addition, we perform regular backups of data and maintain defined plans and procedures to enable the recovery of critical systems and data in the in the event of a major disaster.
- We log, monitor and investigate suspected unauthorised access and information security incidents on our systems to ensure issues are prioritised and resolved in accordance with agreed service levels.
Our third parties’ responsibilities
We leverage various third-party stakeholders, service provides and technologies to develop and maintain Bettr’s products and services. The following third parties play an important role in enabling services (this is not an exhaustive list) and share responsibility for protecting customer and company information in accordance with contractual and regulatory requirements:
- Access Bank South Africa Limited (“Access Bank” or “the Bank”) is an authorised Financial Services Provider (FSP 5865) and a registered Credit Provider (NCRCP 6). Our services are provided in alliance with Access Bank and all customer transactional information is shared with the Bank daily (via secure channels managed by the Bank). The Bank is responsible for all reporting obligations in accordance with the Banks Act 94 of 1990 and related applicable laws.
- Tutuka Software Proprietary Limited ("Tutuka”) provides solutions and support services related to the management of card transactions. Tutuka maintains compliance with the PCI Data Security Standard.
- Traderoot Africa Managed Services Proprietary Limited provides core banking solutions and support services. Core banking applications are hosted in AWS and managed by Bettr.
- Onfido SAS provides services to verify the identity of customers including biometric facial scans matching to identity documents. Onfido uses 256-bit SSL encryption 100% of the time on every device. Onfido is SOC 2 Type II compliant and has been certified by BSI to ISO 27001 under certificate number IS 660122.
- Fica Co Proprietary Limited (“DocFox”) provides digital KYC solution and service in accordance with FICA requirements.
- Stitch Money Proprietary Limited ("Stitch") provides payment gateway services that allow customers to fund their accounts.
- Intercom is leveraged for customer support services.
Our information security disclaimers
Please note the following:
- The third parties whose systems we link to are responsible for the security of information while it is collected by, stored on, or passing through the systems under their control.
- We will use all reasonable endeavours to ensure that our mobile app, website, backend systems and your information is not compromised. However, we cannot guarantee that no harmful code, or malicious threat actor won’t compromise our systems (for example hackers, malware, viruses, bugs, Trojan horses, spyware or adware). You should be aware of the risks associated with using any mobile app, website or resource on the internet.
- If you experience a problem or loss that is caused by: (i) information you provided to us; (ii) your computer or mobile device being compromised in some way; or (iii) something beyond our control, we cannot take responsibility for causing the problem. We will, however, do our best to help you where we can.
Your security responsibilities
- Install and activate appropriate security software on your computer or mobile device. This should include anti-virus, anti-spyware and anti-spam software.
- Run regular scans of your computer or mobile device for viruses.
- Update your security software to ensure you are always running the current version.
- Ensure that your mobile device has not been subject to a root or jailbreak process.
Other steps you should take to help protect your computer or mobile device include:
- Check your internet browser’s security settings for ways to make your browsing more secure.
- Make sure that you have entered secure pages when filling in your sensitive personal information. Look for a small yellow lock commonly seen at the top left of your browser and http changes to https on the address bar.
Protecting your password
- Never share your password with anyone.
- Never send your password via email.
- Make your password as strong as possible.
Before you download the app ensure the page you are on is secure and begins with https. You must only log in to your account via the secure app. We will never ask you to enter your login details on a website.
No confirmation through links
We will never ask you to confirm your username and password or other sensitive information by clicking on any links in an email other than the email link we send you at registration to verify your email address. Be aware of “phishing” attacks where criminals attempt to obtain your sensitive information by sending you an email, masquerading as an email from us, asking you to access your account or verify information via links in the email, or diverting you to a fake website. Please report any suspected phishing attacks to us immediately to prevent any harm to you or other users.
Please report any suspicious or unauthorised activity relating to your use of our website, customer support channels or mobile app to us directly, because it will help make our services more secure.
Our right to take action
We reserve the right to take whatever action we deem necessary at any time to preserve the security and reliable operation of our system. You undertake not to do (or permit anything to be done) that may compromise the system under our control.