Regulatory and security

Regulatory compliance and security is the bedrock of our platform

We prioritise regulatory compliance, safety, and security as essential and inherent features of our platform. We work diligently with our banking and technology partners to deploy best-in-class tools and practices to remain secure and compliant.

Regulatory compliance

We take care of all the necessary regulatory requirements and manage sensitive financial data to ensure fully compliant financial products and operations.

Branchless Banking Partnership

Through leveraging Branchless Banking regulations we have formed strategic partnerships with State Bank of Pakistan (SBP) regulated bank to ensure our customers receive secure and reliable embedded financial services, backed by our banking partner’s expertise and reliability.

Non-Banking Finance Company

Neem is a fully licensed Non-Banking Finance Company (NBFC) by Securities and Exchange Commission of Pakistan to carry out and undertake Investment Finance Services (IFS). This license empowers us to provide tailored embedded lending solutions targeted towards specific industry segments, like household consumers and MSMEs, as well as to cross-sell savings, investment and insurance products.

Security

We understand the importance of ensuring a secure environment on our platform. With advanced technologies and rigorous protocols, we have implemented comprehensive security measures to protect users and maintain the integrity of our systems.

Security within Neem

Authentication & authorisation

We enforce strict role-based access control and multi-factor authentication to safeguard our APIs and management functions, ensuring maximum data security.

Risk assessment

We regularly assess data, systems, and infrastructure risks to stay updated on potential threats and effectively execute mitigation strategies.

Penetration tests

Our systems undergo periodic testing by certified third party security testing services.

Vulnerability scans

We carry out regular vulnerability scans to proactively identify and preempt any threats to the integrity of its systems.

Training

All Neem employees with access to systems are required to undergo annual training on security procedures in place and best practices.

Infrastructure security

Privacy

We follow rigorous procedures covering storage and handling of data, to comply with applicable financial and privacy laws.

Audit logs

We collect audit trails for all system level events of its infrastructure.

Data encryption

We use TLS 1.3 and AES 256 encryption to protect data during transit and at rest, ensuring both data integrity and confidentiality.

Segmentation

Our production, sandbox and QA environments are fully segregated with different access control lists.

Network

We maintain strict filters for traffic via security group rules, for both inbound and internal traffic.

Product security

API-key and OAuth 2 token scopes

Access for client systems is scoped by their tokens which ensures that each client can access only the subset of resources designated for them.

JWT token based access for customers

Separate JWT based authentication for end users coupled with multi-factor authentication which ensures a specific user has access only to their allowed data and features.

Token expiration

All tokens are short-lived, limiting the possibility of compromise.

SSL and EV certificates

We use TLS 1.3 and 1.2 certificates and EV certificates to better assure its identity to clients.

Roles & permissions

Role-based access controls limit user access to a specific subset of data based on their assigned role when logging into applications.

Sensitive data masking

All personally identifiable or any other sensitive data is masked whenever displayed or stored in audit trails.

Availability

Redundancy

Our platform is designed for high availability, minimizing failover and recovery times.

Backups

All production data is regularly backed up and stored within the same jurisdiction.

Monitoring

Continuous infrastructure monitoring promptly alerts any failures, minimising recovery times.

Business continuity

A tested business continuity plan with separate disaster recovery infrastructure is in place to address disruptions.

Security reporting

At Neem, we emphasise the importance of responsible disclosure when it comes to security concerns surrounding our offerings. We value engagement with individuals who report vulnerabilities in a positive and professional manner, ensuring customer protection.

To report any security concerns, contact us at support@neem.io

Let’s enable financial wellness for your business and customers together

Book a call