Nveda Fintech Pvt ltd | Ninja Labs - FZCO
Effective Date: January 2025
Last Updated: November 2025
---
1. Purpose and Overview
This Security Policy describes the technical, organizational, and procedural measures implemented by Nveda Fintech Private Limited (“Nveda”, “we”, “us”, or “our”) to protect the confidentiality, integrity, and availability of information processed by **NIN Genie**, an agentic assistant and orchestration layer within the NINGENIE workspace of the NINX platform (the “Service”).
NIN Genie operates as a secure orchestration layer on top of services you already use. It does **not** operate as a custodial wallet, bank, or broker; instead, it coordinates actions across regulated networks and partner services based on your instructions and configurations.
This policy should be read together with the **NIN Genie Terms of Service** and the **NIN Genie Privacy Policy**.
---
2. Scope
This Security Policy applies to:
- NIN Genie’s production systems and infrastructure.
- Data, credentials, and configuration managed by NIN Genie in order to perform orchestration.
- Employees, contractors, and service providers with access to NIN Genie production data or systems.
It does **not** replace the broader NINX platform security measures that apply to other products and services.
---
3. Security Objectives
Our security program for NIN Genie is designed to achieve the following objectives:
- **Confidentiality** – Protect sensitive data, including user prompts, configuration, and credentials for connectors.
- **Integrity** – Ensure that workflows, actions, and outputs are accurate, tamper-resistant, and traceable.
- **Availability** – Maintain reasonable uptime and resilience of the Service, with appropriate recovery mechanisms.
- **Least Privilege** – Grant access (human and machine) strictly on a need-to-know and need-to-use basis.
- **Auditability** – Provide traceability for key security-relevant events and actions performed by or through NIN Genie.
---
4. Security Governance and Responsibilities
### 4.1 Governance
Nveda maintains a security governance structure that includes:
- Executive oversight for security strategy and risk management.
- Designated owners for infrastructure, application security, and compliance.
- Regular review of security posture, threat landscape, and incident reports.
### 4.2 Roles and Responsibilities
Key roles include:
- **Security Lead / CISO Function** – Oversees the security program, policies, and risk management.
- **Engineering Leads** – Implement and enforce secure development practices and infrastructure controls.
- **Operations / SRE** – Maintain secure configurations of production systems, monitoring, and incident response.
- **Compliance and Legal** – Ensure alignment with applicable legal, regulatory, and contractual obligations.
All employees and contractors with access to NIN Genie systems are required to:
- Follow this Security Policy and related procedures.
- Complete security and privacy awareness training at onboarding and periodically thereafter.
- Report suspected security incidents promptly.
---
5. Security Architecture Overview
NIN Genie is built on a layered security architecture that includes:
- **Segregated environments** for development, staging, and production.
- **Network segmentation** and security groups to restrict access between services.
- **API-driven orchestration** with minimal surface area exposed to the public internet.
- **Secure connectors** to third party providers (such as communication, finance, and productivity tools) using standard protocols like OAuth 2.0 where supported.
- **Zero-trust principles** where feasible, including strong authentication, authorization, and continuous logging.
---
6. Access Control and Authentication
### 6.1 User Authentication
- Users authenticate to NIN Genie via the NINX platform’s authentication mechanisms (such as email-based login, passwordless flows, or federated identity providers where enabled).
- Strong authentication is encouraged and may be required for sensitive operations.
- Access tokens and sessions are time-limited and subject to revocation.
###6.2 Internal Access
- Access to production systems is restricted to a limited set of authorized personnel.
- Administrative access requires strong authentication (for example, multi-factor authentication) and is logged.
- Role-based access control (RBAC) is used to ensure least-privilege access to data, logs, and infrastructure.
### 6.3 Authorization
- Application-level authorization checks ensure that users and connectors can only perform actions within their configured permissions.
- Workspaces and environments are logically segregated to prevent cross-tenant access.
---
7. Data Protection and Encryption
### 7.1 Data in Transit
- All external communication with NIN Genie is protected using industry-standard transport encryption (HTTPS/TLS).
- Connections to third party APIs and services are made over secure, encrypted channels wherever supported.
### 7.2 Data at Rest
- Sensitive data, including API keys, access tokens, and certain configuration values, is encrypted at rest using strong encryption algorithms.
- Storage systems used for production data (databases, object storage, etc.) are configured with encryption at rest where supported.
### 7.3 Secrets Management
- Secrets (API keys, tokens, encryption keys) are managed via a dedicated secrets management mechanism or encrypted storage.
- Secrets are not stored in source code repositories or hard-coded into application binaries.
- Access to secrets is restricted to processes and personnel that strictly require them.
---
8. Application Security and Secure Development
- NIN Genie follows secure development practices, including code review, change management, and testing.
- Dependencies are regularly reviewed and updated to address known vulnerabilities.
- Security considerations are built into design and implementation phases for new features, especially those involving financial or high-risk actions.
- Where applicable, static analysis, dependency scanning, and other automated checks are used to help identify security issues.
---
9. Logging, Monitoring, and Audit Trails
- Security-relevant events (such as authentication attempts, connector authorizations, and key orchestration actions) are logged.
- Logs are protected against tampering and are stored for a reasonable retention period, subject to legal and operational requirements.
- Monitoring and alerting systems track key indicators such as error rates, unusual behavior, and suspicious access patterns.
- Access to logs is controlled and limited to authorized personnel for troubleshooting, security, and compliance purposes.
---
10. Connectors, Third Party Services, and Subprocessors
- NIN Genie connects to third party services through secure connectors based on your explicit authorization.
- Only the minimum required scopes/permissions are requested for each integration where feasible.
- Third party providers and subprocessors are evaluated for security and privacy posture before use, and are subject to appropriate contractual obligations.
- Regular reviews of critical vendors and connectors are performed to ensure ongoing compliance and risk management.
Your use of third party services remains subject to their own terms and privacy/security policies.
---
11. Network and Infrastructure Security
- Production infrastructure is hosted on reputable cloud providers with strong underlying security controls.
- Firewalls, security groups, and access control lists are used to restrict inbound and outbound traffic to necessary ports and services only.
- Unused services and ports are disabled or blocked by default.
- Administrative interfaces are protected through network restrictions and strong authentication.
---
12. Endpoint and Device Security
For employees and contractors with access to production systems or sensitive data:
- Devices must use supported and regularly updated operating systems.
- Full-disk encryption is required for laptops or desktops used to access production data.
- Up-to-date endpoint protection (such as antivirus or EDR) is required where applicable.
- Screen locking, password policies, and data loss prevention practices are enforced via internal guidelines.
---
13. Vulnerability Management
- Vulnerabilities may be identified via automated scanning tools, third party reports, or internal reviews.
- Discovered vulnerabilities are triaged based on severity, impact, and exploitability.
- Critical and high-severity issues are remediated on an expedited basis, with tracking until closure.
- Dependencies, containers, and base images are updated regularly to address known security issues.
---
14. Incident Response
Nveda maintains an incident response process for NIN Genie that includes:
- **Detection and Triage** – Monitoring alerts, security reports, and user notifications to identify potential incidents.
- **Containment and Mitigation** – Taking appropriate technical and administrative steps to limit impact and prevent further damage.
- **Investigation and Analysis** – Determining root causes, affected systems, data, and users.
- **Notification** – Where required by law or contract, notifying affected users, partners, or regulators within applicable timelines.
- **Recovery and Lessons Learned** – Restoring normal operations and updating policies, controls, and training based on findings.
Security incidents can be reported using the contact details in the **Contact** section below.
---
15. Business Continuity and Disaster Recovery
- NIN Genie’s infrastructure is designed to support resilience through redundancy where appropriate.
- Regular backups are taken for critical data and systems, with secure storage and periodic restore testing.
- Disaster recovery procedures aim to restore essential services within reasonable timeframes in the event of major outages.
---
16. User Security Responsibilities
While NIN Genie is designed with security in mind, users also play a role in maintaining a secure environment. You are responsible for:
- Protecting your own devices and login credentials.
- Reviewing and configuring connectors and permissions according to your risk appetite.
- Verifying sensitive outputs and actions (especially financial decisions) before relying on them.
- Not sharing API keys, access tokens, or sensitive configuration with unauthorized parties.
- Reporting suspected compromise or misuse of your account or connectors promptly.
---
17. Compliance and Regulatory Alignment
We aim to operate NIN Genie in a way that is consistent with relevant regulatory expectations for security, particularly in the context of financial services, data protection, and consumer protection frameworks.
As our products evolve, we may adopt additional certifications, standards, or third party assessments, which will be reflected in updated documentation or security disclosures where applicable.
---
18. Changes to This Security Policy
We may update this Security Policy from time to time to reflect changes in our practices, technologies, or legal obligations. When we do so, we will update the “Last Updated” date at the top of this page.
Where required by law or where changes are material, we may provide additional notice (for example, in-product notifications or email).
Your continued use of NIN Genie after any changes become effective constitutes your acceptance of the updated Security Policy.
---
19. Contact
If you have questions about this Security Policy, our security practices for NIN Genie, or if you wish to report a security concern, you can contact:
Nveda Fintech Pvt Ltd | Ninja Labs - FZCO
Email: security@nin.in
Legal and Compliance: legal@nin.in
Privacy and Data Protection: privacy@nin.in