Secure Usage Guidelines
Purpose
These guidelines establish mandatory security controls and best practices for all users, merchants, developers, and partners who access or integrate with the bridg.money platform. They are designed to protect the confidentiality, integrity, and availability of systems and data while ensuring compliance with Indian regulations and international standards.
The purpose of this document is to:
- Provide a clear framework of security responsibilities for bridg.money and its ecosystem participants.
- Minimise risks of fraud, data breaches, financial loss, and reputational harm.
- Align bridg.money operations with RBI Master Directions, PCI-DSS, ISO 27001, and the Digital Personal Data Protection Act (DPDP 2023).
- Support safe innovation by guiding developers and partners in secure coding, integration, and operational practices.
- Reinforce customer and regulator trust by demonstrating proactive governance and transparency.
- Serve as a reference document for internal teams, auditors, regulators, and bank partners evaluating our security posture.
These guidelines supplement – not replace – contractual obligations and applicable laws or regulations.
Scope
These guidelines apply to all categories of systems, users, and data that interact with bridg.money. They ensure that every stakeholder follows a consistent security standard and that critical infrastructure remains resilient against threats.
Category – Included Assets
- Interfaces: bridg.money web dashboard, mobile applications, API endpoints, SDKs, command-line utilities, and any future client-facing tools.
- Actors: Merchants, employees, contractors, service providers, developers, auditors, consultants, and integrated third-party systems.
- Data: Any personal, financial, transactional, or business data processed, stored, or transmitted via bridg.money infrastructure, including KYC/AML information, reconciliation data, logs, and audit trails.
- Infrastructure: Core systems, servers, databases, cloud environments, monitoring tools, APIs, CI/CD pipelines, and backup/disaster recovery systems used to support bridg.money operations.
The scope extends across production, sandbox, and test environments, and applies to both internal users and external partners. These guidelines are binding for all parties engaging with bridg.money’s technology stack.
Key Definitions
- 2FA: Two-Factor Authentication (OTP / authenticator app).
- API Key: Credential issued to integrate programmatically with bridg.money.
- Sensitive Data: Personally identifiable information (PII), financial data, authentication secrets, and any data classified Confidential or above.
- RBAC: Role-Based Access Control.
- DPO: Data Protection Officer.
- CISO: Chief Information Security Officer, responsible for governance, audits, and regulatory liaison.
Security Governance
- Risk Ownership: Each merchant is responsible for safeguarding its own credentials, infrastructure, and customer data.
- Shared Responsibility Model: bridg.money secures core platform infrastructure; users secure their endpoints and usage.
- Leadership Roles: The CISO and DPO oversee policy compliance, incident response, and regulator liaison.
- Annual Review: These guidelines are reviewed every 12 months or upon major regulatory change.
- Board Oversight: The Board of Directors receives quarterly dashboards on compliance, fraud trends, and incident response statistics.
- Policy Enforcement: Violations may result in suspension, termination, regulatory reporting, or legal action.
Acceptable Use Requirements
Accounts & Credentials
- Create accounts with unique, verifiable business email IDs – shared or group IDs are prohibited.
- Passwords must be ≥ 12 characters with at least 1 uppercase, 1 lowercase, 1 digit, and 1 symbol.
- Enable 2FA for every administrator and finance role.
Device Security
- Keep operating systems, browsers, firmware, and antivirus solutions fully patched.
- Use full-disk encryption on laptops and mobile devices.
- Restrict privileged access to bridg.money dashboards to company-managed devices.
- Ensure background verification and NDA compliance for all employees handling sensitive data.
Network Security
- Access the dashboard via private or corporate networks; avoid public Wi-Fi.
- Use VPN or zero-trust access solutions where feasible.
Environment Hygiene
- Do not use production data in sandbox or test environments.
- Disable default or unused accounts and services promptly.
- Conduct quarterly reviews of environment segregation and security patches.
Authentication & Access Control
- RBAC: Assign least-privilege roles (Viewer, Ops, Finance, Admin).
- Quarterly Access Review: Re-validate all privileged roles every 90 days.
- Session Timeout: Auto-logout after 15 minutes of inactivity.
- API Key Scope: Restrict by IP, environment (test/live), service (payouts, VAM, etc.).
- Key Rotation: Rotate or regenerate keys at least every 90 days or immediately after suspected compromise.
- Credential Storage: Never embed keys in client-side code; use secure server-side vaults.
- Password Hashing: bridg.money hashes all passwords with bcrypt (cost 12).
- Audit Trails: Maintain complete logs of authentication, privilege escalations, and API key issuance/revocation for ≥ 5 years.
Secure Development & Integration
- Environment Separation: Use Bridg sandbox for development; never test with live data.
- Secrets Management: Store API keys, JWT secrets, and database passwords in encrypted secret stores (e.g., AWS Secrets Manager, HashiCorp Vault).
- Secure Coding Standard: Follow OWASP ASVS 4.0 and SEI-CERT guidelines.
- SAST/DAST & Dependency Scanning: Run static, dynamic, and software-composition analysis (SCA) scans; remediate CVEs before deployment.
- Webhook Validation: All webhooks are signed (HMAC-SHA256). Verify the signature header before processing events.
- Rate Limiting: Implement retry logic with exponential back-off; do not exceed published rate limits.
- DNS Hygiene: Honour bridg.money DNS TTLs (no aggressive caching) to ensure quick fail-over & certificate rotation.
- API Lifecycle & Versioning: bridg.money publishes a stable, date-based API version (e.g., 2025-08-01) with a 6-month deprecation window for breaking changes. Multiple versions are supported concurrently; upgrade guides are provided.
- Code Reviews: Enforce peer reviews, unit testing, and CI/CD pipeline checks before production deployment.
Data Protection & Privacy
- Data Collection: Collect only data necessary for the stated business purpose or legal obligation (data minimisation).
- Data Classification & Encryption:
- Public: Product documentation → Optional encryption.
- Internal: Configuration files → Transport encryption (TLS).
- Confidential: PII, KYC docs, transaction data → AES-256 at rest + TLS in transit.
- Retention & Disposal:
- Retain transactional & KYC data for 8 years (per RBI Master Directions) or longer if legally mandated.
- Dispose of data securely (crypto-shred or DoD wipe) once retention period lapses.
- Data-Subject Rights: bridg.money honours rights to access, correction, deletion, portability, and consent withdrawal under India’s DPDP Act and (if applicable) GDPR.
- Cross-Border Transfers: Data remains within India unless explicit consent and adequate safeguards exist for permitted regions (EU SCCs, BCRs, or equivalent mechanisms).
- Third-Party Data Processing: Vendors handling personal or sensitive data must sign binding Data Processing Agreements (DPAs).
Transaction Security
- All API and dashboard traffic must use TLS 1.2+; bridg.money rejects plain HTTP.
- Validate beneficiary name and account number (penny-drop or bank API) for payouts over INR 50,000.
- Enable maker-checker workflows on corporate payouts.
- bridg.money reviews fraud and AML patterns daily.
- Merchants must configure transaction-level approval thresholds (₹ amount & risk category).
- Suspicious transactions are escalated to AML teams within 1 hour.
Monitoring, Logging & Alerting
- Transaction Logs: Retain for a minimum of 5 years; export via BridgRecon or API.
- Security Logs: Retain for 8 years; stored in tamper-evident, WORM-compliant storage.
- Anomaly Detection: Configure alerts for unusual spikes, geo-location anomalies, or repeated failures.
- Logs are periodically reviewed by the compliance and risk team.
Incident Response & Reporting
- Contain: Suspend affected API keys/users. bridg.money acknowledges within 24 hours.
- Report: Email security@bridg.money with incident details; Bridg provides an IR reference number.
- Investigate: Cooperate with Bridg investigators; interim updates: Sev 1 – hourly, Sev 2 – 4-hourly, Sev 3 – daily.
- Eradicate: Patch systems, reset credentials; confirm closure & preventive steps.
- Post-mortem: Share learnings & remediation plan; Bridg delivers incident report within 10 days.
Safe-Harbor: Good-faith security researchers following our Responsible Disclosure programme will not face legal action, provided they do not exploit data and report promptly.
Business Continuity & Disaster Recovery
- RTO ≤ 1 hour and RPO ≤ 15 minutes for critical services.
- Annual DR test conducted every Q2; summary results available on request.
- Incident updates are posted on status.bridg.money with email/SMS alerts for Sev 1 outages.
- Critical vendor dependencies are included in DR planning.
Compliance & Audits
- Platform certified against PCI-DSS v4.0 and aligned with ISO 27001 controls.
- Annual VAPT performed by CERT-IN empanelled partners.
- SOC 2 Type II attestation in progress (target completion Q1 2026).
- bridg.money operates a private bug-bounty programme (invite-only).
- RBI/Bank Audits: bridg.money cooperates with RBI inspections, statutory auditors, and partner bank compliance reviews.
- FIU Reporting: AML monitoring and suspicious activity reports (STR/CTR) are filed with FIU-IND as required.
Prohibited Activities
- Money laundering, terror financing, corruption, child exploitation.
- High-risk categories (gambling, crypto, adult content) without explicit written approval.
- Unauthorized penetration testing, scraping, or denial-of-service attacks.
- Activities that compromise confidentiality, integrity, or availability of Bridg systems.
Third-Party Services & Plugins
- Use only vetted plugins/extensions that comply with these guidelines.
- Merchants must perform vendor security assessments for any third-party code touching Bridg APIs.
- Users are responsible for security of any code executed on their infrastructure.
- bridg.money reviews third-party providers periodically for compliance with DPDP and RBI requirements.
Updates to Guidelines
This document may be revised to address new threats or regulations. The latest version is always available at www.bridg.money/security. Continued use constitutes acceptance of updates. API Deprecation Policy: Breaking API changes are communicated at least 6 months in advance. Clients have a rollback window of 72 hours after upgrade.
Contact Information
- Security Incidents: security@bridg.money (24 × 7)
- General Support: hello@bridg.money (09:00–18:00 IST, Mon–Fri)
- Phone Support: +91 76765 12809 (09:00–18:00 IST, Mon–Fri)
- Postal Address: Bridg Financial Technologies Pvt. Ltd., WorkFlo Ranka Junction, Property No. 224, 3rd Floor, #80/3, Vijinapura Village, Old Madras Road (OMR), KR Puram Hobli, Bengaluru - 560016, India
Quick Reference
- Passwords ≥ 12 chars + 2FA
- Never share or hard-code API keys; rotate every 90 days.
- HTTPS only; verify webhook signatures.
- Monitor logs daily; investigate anomalies promptly.
- Report incidents to security@bridg.money within 24 hours.
- Follow API deprecation notices; migrate within 6 months to avoid disruption.
Policy Governance
- Document ID: SG-001
- Owner: Chief Information Security Officer (CISO)
- Approval Authority: Board of Directors
- Versioning Scheme: Semantic (major.minor.patch). Operational changes increment minor; textual fixes increment patch.
- Distribution: Confluence (HTML) & Signed PDF (SHA-256 checksum).
- Next Review Due: 01 September 2026
- Supersedes: All prior Secure Usage Guidelines
- Change Log: Stored in Git; diff summary available on request.