Security Statement
Tangerpay understands the importance of an effective information security management system to protect the confidentiality, integrity and availability of all information assets from potential threats.
Our commitment to security is reflected in the implementation of our security policies, processes, controls and alignment and compliance with international standards.
The Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
This security statement should be read in conjunction with our Privacy Policy.
If you have discovered a security issue, contact us at service@tangerpay.com. If there is anything sensitive you’d like to report, consider encrypting your email with our PGP key, https://keybase.io/tangerpay.
Governance
Tangerpay maintains a set of standards and policies organised around ISO 27001 in our day-to-day operations, and since we accept card payments we apply the PCI-DSS. We submit to regular external scans to maintain our PCI-DSS compliance to the satisfaction of our payment processing suppliers.
Organisation of Information Security
The executive team at Tangerpay come from senior banking technology roles across Australia’s largest financial institutions. The security program is sponsored by the executive team and is regularly reviewed to ensure it continues to adapt as the threat landscape changes.
Tangerpay staff have access to the systems they need, and no more. Access to source code is restricted to developers, and changes to the production environment is performed once reviewed and approved by a responsible executive.
Securing Individuals
Tangerpay screens individuals in accordance with their role and access to information. All individuals with access to information or source code are vetted, and upon hire must accept Tangerpay’s employee Code of Conduct and IT Acceptable Use Policy.
All individuals with access to sensitive information are required to sign non-disclosure agreements.
Individuals who are required to use third-party services are provided password management software and must select unique, complex passwords per site. Password quality is monitored and audited every three months to ensure compliance. Password breaches are also monitored and breached passwords are immediately updated.
Breach of these policies is treated as misconduct and results in disciplinary action commensurate with the severity of violation.
Assets
Customer data is managed in accordance with local regulations. Tangerpay collects the bare minimum required to operate the platform. More information about the data we collect can be seen in the Privacy Policy.
Tangerpay does not store, process, or transmit sensitive cardholder data on our network. There is no way for Tangerpay staff to access cardholder data.
Access to information is provided on a need-to-know basis. Staff and users of our service have access to what they need, and no more.
Tangerpay monitors use of the IT environment through logging and dashboards.
Cryptography
Tangerpay has a Cryptography Standard which sets out when, where, and how information is to be protected.
For data in transit, Tangerpay only allows network connections using TLS 1.2 and above. Qualys SSL Labs rates us an A+ for the security applied to our public-facing user applications.
Data at rest is encrypted using the services of Microsoft Azure, and we apply additional AES encryption where additional protection is warranted.
Physical Security
Tangerpay’s main data center is provided by Microsoft Azure and enjoys the elevated level of physical and IT infrastructure security provided as part of that platform. More information is available at https://docs.microsoft.com/en-us/azure/security/fundamentals/infrastructure.
Our office has a concierge during business hours and requires electronic key fobs to gain after-hours entry. Unauthorised guest access to the complex is not permitted.
Operations
Tangerpay implements a change control process that allows tracking of source and data changes made to the IT environment.
Software build pipelines continually assess code deployed to production. Software libraries are scanned against the CVSS and rejected if vulnerabilities are detected. Manual changes to the production environment is not permitted – all change must be deployed through well-defined and approved automated delivery pipelines.
Critical data is backed up in encrypted form and can be restored in the event of a disaster. The keys for decrypting backups is held off-site, available only to the executive team and accessed only when required.
Operational dashboards containing the health and availability of the system is regularly monitored.
All logs are collected and retained for several months to assist any incident management process, including security-related incidents.
Networks and Communication
Tangerpay utilises Microsoft Azure’s networking and security features to protect applications running within that environment. Access to the network requires multi-level authentication and firewall permissions.
The development and testing environments are network separated from production.
Development
Tangerpay has implemented a secure development lifecycle (SDLC) development standard.
All software developers employed by Tangerpay are professionals who understand secure coding methods and how to mitigate common attack vectors, including the OWASP Top 10.
The software build process includes execution of static code analysis tools to detect common vulnerabilities. A build will not succeed if a vulnerability is detected.
The software deployment process requires promotion from non-production, then to production. Automated tests are executed in the non-production region to ensure software is of the highest quality before customers see it.
Suppliers
Tangerpay ensures all suppliers meet our security requirements across the supply chain. This includes the open-source software we use.
Tangerpay maintains close relationships with suppliers who are critical to the operation of our business. This includes purchase of premium support and exchanging non-disclosure agreements where required.
Incident Management
Tangerpay has an incident management and incident communications plan for when things go wrong.
In the event of a security incident, we will notify affected users so they can take appropriate protective steps. In a significant breach we will communicate particulars on our website, social media and notify appropriate regulatory and law enforcement bodies.
Tangerpay provides a secure channel for security researchers to contact us if required. Our PGP key is available at https://keybase.io/tangerpay.
Business Continuity
Tangerpay has a business continuity plan. In a disaster our software and data can be restored on Microsoft Azure. Our restoration process is documented and tested annually.
Compliance
Tangerpay operates in several countries, and each has different compliance obligations.
PCI-DSS compliance is tested every six months through automated network scans of our publicly facing infrastructure.
Compliance relating to customer data differs by jurisdiction, and Tangerpay monitors and responds to changing regulatory requirements as necessary.