Information Security Policy

1. Purpose and Scope

This Information Security Policy establishes the security framework for TipMe, operated by Hyperx Inc. It defines the policies, procedures, and controls we implement to protect the confidentiality, integrity, and availability of all information assets, including customer personal data and financial information.

This policy applies to all systems, data, personnel, and third-party partners involved in operating the TipMe platform.

2. Governance and Risk Management

Hyperx Inc. maintains an information security program overseen by company leadership. Our security governance includes:

• Designated security leadership responsible for maintaining and enforcing this policy
• Regular risk assessments to identify, evaluate, and mitigate security threats
• Ongoing review and improvement of security controls based on industry best practices
• Compliance monitoring with applicable laws and regulations, including the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
• Vendor risk management for all third-party service providers handling customer data

3. Data Classification and Protection

We classify data based on sensitivity and apply appropriate protections:

• Highly Sensitive: Bank account credentials, payment card data, SSN, identity documents — encrypted with AES-256 at rest, transmitted only via TLS 1.2+, access restricted to essential systems only
• Sensitive: Personal information (name, email, phone), transaction records — encrypted in transit, access limited to authorized personnel
• Internal: Operational data, analytics, system logs — protected by access controls and monitoring

Bank account details (routing and account numbers) are retrieved via Plaid during account linking and stored on TipMe servers encrypted with AES-256. Only the last 4 digits of routing and account numbers are ever displayed. Payment card data is processed exclusively through Nuvei in a PCI-compliant environment and is never stored on TipMe servers.

4. Access Control

We enforce strict access controls to protect production systems and sensitive data:

• Role-based access control (RBAC) across all application layers — users, administrators, and system operators have distinct permission levels
• SSH key-based authentication for production server access — password authentication is disabled
• JWT-based authentication with secure token management for application access
• Separate admin authentication system with role-based permissions (super admin, admin)
• Principle of least privilege — access is granted only to the minimum level necessary for job functions
• Immediate revocation of access upon role change or separation

5. Encryption Standards

We use modern, industry-standard cryptography to protect data:

• Data in Transit: All communications are encrypted using TLS 1.2 or higher via SSL certificates (Let's Encrypt, auto-renewed)
• Data at Rest: Sensitive personal data (such as SSN and bank account details) is encrypted using AES-256 encryption
• Password Storage: All user passwords are hashed using bcrypt with a cost factor of 12 — plaintext passwords are never stored
• Sensitive Data Hashing: Deterministic hashing (SHA-256) is used for sensitive data lookups without exposing the original values
• API Authentication: Secure JWT tokens with expiration for session management

6. Infrastructure Security

Our production infrastructure is secured with multiple layers of protection:

• Dedicated server infrastructure with restricted network access
• Nginx reverse proxy with SSL termination and security headers
• Database access restricted to localhost connections only — no external database access
• Automated SSL certificate renewal
• Process management with automatic restart and health monitoring (PM2)
• Regular operating system and dependency security updates

7. Application Security

Security is integrated into our software development lifecycle:

• Input validation and sanitization on all user-facing endpoints to prevent injection attacks
• CSRF protection and security headers on all requests
• Rate limiting to prevent brute-force and denial-of-service attacks
• Parameterized database queries (via Prisma ORM) to prevent SQL injection
• Automated testing (unit, integration) as part of the CI/CD pipeline
• Dependency vulnerability scanning and timely patching
• Webhook signature verification for all payment processor callbacks

8. Third-Party Vendor Security

We carefully evaluate and monitor all third-party providers that handle customer data:

• Plaid — Bank account linking. SOC 2 Type II certified, ISO 27001 compliant. Bank login credentials are transmitted directly to Plaid and never touch TipMe servers. Routing and account numbers retrieved via Plaid are stored encrypted with AES-256 on TipMe servers to facilitate payouts
• Nuvei — Payment processing. PCI DSS Level 1 certified. Card data is processed entirely within Nuvei's secure environment
• Persona — Identity verification (KYC). SOC 2 compliant. Identity documents are processed and stored by Persona
• SendGrid — Transactional email. SOC 2 certified. Only receives email addresses necessary for sending notifications
• Vonage — SMS messaging. Used solely for phone number verification. Only receives phone numbers necessary for sending verification codes
• Amazon SNS — SMS messaging. Used solely for phone number verification. Only receives phone numbers necessary for sending verification codes
• Vercel — Frontend hosting. SOC 2 Type II certified. Serves static assets and handles no sensitive user data

All third-party integrations use encrypted API communications (TLS) and are authenticated with securely stored API credentials.

9. Monitoring and Logging

We maintain continuous monitoring to detect and respond to security events:

• Application logging of all authentication events, API requests, and error conditions
• Webhook audit trail for all payment processor callbacks (stored in WebhookLog)
• Payment processor health monitoring with automated failover
• Server process monitoring with automatic restart on failure
• Log review for indicators of unauthorized access or anomalous activity

10. Incident Response

In the event of a security incident, we follow a structured response process:

• Detection: Identify and confirm the incident through monitoring, alerts, or reports
• Containment: Immediately isolate affected systems to prevent further damage
• Investigation: Determine the scope, cause, and impact of the incident
• Notification: Notify affected users within 72 hours and relevant regulatory authorities as required by law
• Remediation: Implement fixes to address the root cause and prevent recurrence
• Documentation: Record all incident details, response actions, and lessons learned

Security vulnerabilities or incidents can be reported to security@tipme-app.com.

11. Data Retention and Disposal

We retain data only as long as necessary for its intended purpose:

• Active account data is retained for the duration of the account
• Transaction records are retained for up to 7 years as required by financial regulations
• Upon account deletion, personal data is removed and financial records are retained only as legally required
• Third-party access (such as Plaid bank connections) is revoked upon account deletion or user request

12. Compliance

TipMe's security program is designed to comply with applicable regulations and industry standards, including:

• Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for protection of financial information
• PCI DSS requirements (via our payment processor Nuvei) for payment card data
• California Consumer Privacy Act (CCPA) for California residents
• Bank Secrecy Act (BSA) record-keeping requirements
• State data breach notification laws

13. Policy Review

This policy is reviewed and updated at least annually, or whenever significant changes occur to our systems, processes, or regulatory requirements. All updates are documented with revision dates.

14. Contact

For security-related questions, concerns, or to report a vulnerability:

Email: security@tipme-app.com

Hyperx Inc.
2810 N Church St #147904
Wilmington, DE 19802