Product Security

Moneytree has a media disposal policy that describes procedures for the disposal of assets that contain sensitive data.

Moneytree maintains an inventory of production system assets.

Portable media devices are encrypted to protect data on lost or stolen devices.

Background checks are conducted for all new hires prior to employment.

All employees complete annual information security awareness training.

All employees sign confidentiality and non-disclosure agreements upon hire.

Third-party vendors are assessed for security risk prior to onboarding.

An Information Security Committee with executive sponsorship meets regularly to review security posture, risk, and policy.

A dedicated Chief Information Security Officer is responsible for the information security programme and reports to executive leadership.

An annual cybersecurity self-assessment is conducted per FSA cybersecurity guidelines, with findings documented and reported to management.

All employees acknowledge and comply with an acceptable use policy covering systems, data, and devices.

A clean desk policy is enforced to prevent unauthorized access to sensitive information in physical work environments.

Moneytree conducts periodic self-assessments of security controls.

Annual third-party penetration testing is conducted on all external-facing services.

Automated vulnerability scanning is run on all production systems weekly.

Static and dynamic application security testing is integrated into the deployment pipeline.

All third-party dependencies are scanned for known vulnerabilities on every build using software composition analysis tooling.

Automated secret scanning is run on all code repositories to detect and prevent accidental exposure of credentials or API keys.

A security design review is required for any new feature or change that touches user data or authentication flows before development begins.

A responsible disclosure and bug bounty programme is maintained, allowing security researchers to report vulnerabilities safely. Reports are triaged within two business days.

Privacy-by-design principles are applied during product development. Data Protection Impact Assessments are conducted for new processing activities involving personal financial data.

Moneytree has documented business continuity and disaster recovery plans.

Business continuity and disaster recovery plans are tested at least annually.

Moneytree maintains cybersecurity liability insurance coverage as part of its risk treatment plan.

A formal incident response plan is documented and reviewed annually.

All information security policies are reviewed and approved by executive leadership annually.

All changes to production systems require peer review and documented approval before deployment.

Security logs are collected centrally and monitored 24/7 via SIEM alerting.

Logs are retained for 12 months in hot storage and 7 years in cold archive.

Internal audits of security controls are conducted at least annually. Findings and remediation plans are reported to executive leadership.

A business impact analysis is conducted annually to identify critical systems and acceptable recovery timeframes.

Segregation of duties is enforced in critical processes to prevent fraud or error. No single employee can both authorize and execute sensitive operations.

Procedures are in place to notify the Financial Services Agency of significant system failures or security incidents within the timeframes prescribed by FSA regulations.

Moneytree maintains a data retention policy defining retention periods for all categories of data.

Personal data is deleted from production systems within 24 hours of account closure upon request.

Moneytree classifies data by sensitivity and applies appropriate controls to each classification.

Moneytree does not sell personal data to third parties under any circumstances.

Privacy impact assessments are conducted for all new features that handle personal data.

DPAs are available for enterprise customers and partners upon request.

A list of sub-processors is maintained and customers are notified of any changes.

Moneytree maintains a compliance programme aligned with Japan's Act on the Protection of Personal Information (APPI), including appointment of a Personal Information Protection Manager and periodic compliance reviews.

Personal data transfers outside Japan are subject to documented legal basis assessments and safeguards.

Procedures are in place to investigate data breaches, notify affected individuals, and report to the Personal Information Protection Commission (PPC) within mandated timeframes.

Granular consent is obtained before processing personal data for purposes beyond the original collection intent. Consent records are maintained and users can withdraw consent at any time.

Personally identifiable information is masked or anonymised before use in development, testing, or analytics environments.

Moneytree holds and maintains TRUSTe Enterprise Privacy Certification, verified through annual recertification against applicable privacy standards including APPI.