Information Security at Mukuru

Mukuru implements organisational security measures over systems used to process data. Such measures include, but are not limited to: 

• The management of the Information Security program is driven by a dedicated Information Security department which covers all disciplines required to maintain and improve the certified program.
• Actionable programs for information security incident management, business continuity management, and disaster recovery.
• Extensive internal policies and guidelines for the processing and security of personal data, which cover, among others, personal data processing and data subject request handling, access management, encryption, information security, incident recovery, vendor management, physical security, and remote work requirements. 
• An extensive security onboarding and privacy awareness program for new starters. This is run alongside quarterly security awareness training and phishing simulations. Our developers are enrolled into the secure developer training program for continuous development. 
• Mukuru continually reviews and improves its security and privacy posture in response to emerging threats, evolving regulatory requirements, and industry best practice.

• Mukuru manages risk with a repeatable risk-based approach.
• Technical and non-technical risk assessments are conducted within the environment on an on-going basis.
• Risk assessments are undertaken using a systematic approach to identify and estimate the likelihood and impact of the risks.
• Security controls that mitigate risk are selected from recognised industry best practices.
• Risk assessments also consider regulatory, legal, and contractual obligations to ensure compliance with data protection requirements.

Mukuru implements logical access control measures over systems used to process data. Such measures include but are not limited to:

• Application of different access levels on a need-to-know and “least-privilege basis to ensure that only authorised employees, requiring access for the performance of their immediate work tasks, have access rights to information sources, including personal data. Access is terminated when such access is no longer required.
• Technical enablement for logging processing operations in Mukuru’s systems to a reasonable extent. In case there’s a need to get access to logs, log records of processing operations can be made available in accordance with data subject rights and applicable law. 
• Exclusion of unauthorised access to Mukuru information systems and platforms. For example, allowing guests to only use dedicated guest wireless internet access.  
• Protected access to all systems with multi-factor authentication.
• Privileged access is strictly controlled and subject to monitoring.
• Application of a complex password policy. 
• Protected information may only be accessed, stored, shared or handled using systems and communication channels controlled and authorised for use by Mukuru. It is not permitted to access Mukuru systems from unauthorised devices. 
• A comprehensive semi-annual, logical access reviews is performed.

Mukuru implements technical security measures across systems used to process data. Such measures include, but are not limited to: 

• Secure protocols (for example, HTTPS) and network connections such as VPN and IPsec) are used to transfer data. 
• Encryption of data at rest and in transit. Mukuru implements industry standard AES-256 encryption to encrypt data at rest and TLSv1.3 to encrypt data during transmission. 
• Modern and secure hardware and software to ensure durable confidentiality, integrity, availability, and resilience of data. 
• Using backups to restore, in a timely manner, the availability of data and access to data in the event of a physical or technical incident. Preservation and integrity of data is ensured through a regular backup interval. Backup and restoration procedures are documented, tested regularly, and reviewed to ensure effectiveness.
• Full backups for all data in production systems are done daily. Backups are stored and encrypted in cloud servers. Backups are periodically tested to ensure the integrity of the backup procedure. Successful restoration of backed up objects counts as confirmation of the backup procedure validity. 
• Regular, effective testing (including external penetration and vulnerability testing) and evaluation of technical and organisational measures, including the protection of systems against potential vulnerabilities and attacks. 
• Maintained reasonable and up-to-EDR and anti-malware software, and firewalls for all relevant networks, systems, and devices.

Mukuru implements extensive physical security controls to ensure safety ofdata processing (including personal data processing where applicable). Such measures include, but are not limited to: 

1. Maintained physical controls, including access to Mukuru’s offices, which are closed and safeguarded by personalised multi-factor authentication. 
2. Mukuru’s offices have separate working areas accessible only to authorised employees. 
3. Physical access controls are regularly reviewed, and access rights are promptly revoked when no longer required.
4. Mukuru’s offices have designated guest areas. Guests are allowed to access other determined areas only when accompanied by a Mukuru employee. All guests must wear badges and are signed in and out at the reception desk. 
5. Mukuru’s offices are equipped with perimeter controls, CCTV surveillance, and a security guard (in certain locations).

Mukuru is committed to ongoing improvement of its security and privacy practices. We monitor the evolving threat landscape, adapt to regulatory changes, and implement industry best practices to ensure the continued confidentiality, integrity, and availability of data.

Mukuru has established governance processes for the responsible use of artificial intelligence. AI-enabled solutions are evaluated for security, privacy, legal and ethical risks before implementation. We apply appropriate controls to protect customer information, maintain human accountability for business decisions, and monitor AI systems to ensure they continue to operate safely, securely and in accordance with applicable regulatory requirements.