Security

BANA is a point-of-sale and business management platform that handles sensitive data every day — sales transactions, payment information, inventory records, employee details, and customer profiles. We recognise that your trust depends on our ability to protect this data, and we treat security as a foundational engineering discipline, not an afterthought. Our security programme is built on the principles of defence in depth, least privilege, and continuous improvement, guided by a security-first engineering culture across every team at Nexpando.

BANA is hosted on enterprise-grade cloud infrastructure within the Vietnam region, ensuring compliance with Vietnamese data localisation requirements. Our infrastructure security includes:

• Network segmentation: Production, staging, and development environments are strictly isolated. Internal services communicate over private networks with tightly scoped firewall rules.
• DDoS protection: Multi-layered distributed denial-of-service mitigation protects the platform at both the network and application layers.
• Web application firewall (WAF): All incoming traffic is inspected by a WAF configured to detect and block common attack patterns, including SQL injection, cross-site scripting, and request smuggling.
• Penetration testing: We conduct regular penetration tests — both internal and through qualified third-party security firms — to identify and remediate vulnerabilities before they can be exploited.

We apply strong encryption throughout the data lifecycle to protect your information at every stage:

• In transit: All communications between your browser or device and the BANA platform are encrypted using TLS 1.3 with forward secrecy. Internal service-to-service communication is also encrypted.
• At rest: All data stored on our servers — including databases, file storage, and backups — is encrypted using AES-256, an industry-standard symmetric encryption algorithm.
• Key management: Encryption keys are managed through a dedicated key management system with automatic key rotation, strict access controls, and audit logging. Keys are never stored alongside the data they protect.
• Payment data: BANA does not store raw payment card numbers on its servers. Card data is tokenised and processed exclusively through PCI DSS-compliant payment processors.

We enforce rigorous access controls across the platform and our internal operations:

• Role-based access control (RBAC): Both within the BANA platform (for your team) and internally (for Nexpando staff), access is granted based on defined roles with the minimum permissions required to perform each function.
• Multi-factor authentication (MFA): MFA is mandatory for all Nexpando personnel accessing production systems. We also offer and recommend MFA for BANA business accounts.
• Least privilege principle: Access to systems, databases, and infrastructure is restricted to only those individuals who require it for their specific responsibilities, and is reviewed regularly.
• Comprehensive audit logging: All access to sensitive systems and data is logged with user identity, timestamp, action performed, and outcome. Logs are stored securely and retained for 2 years.
• Automated deprovisioning: When an employee leaves Nexpando or changes roles, their access to all systems is automatically revoked or adjusted through our identity management system.

Security is embedded into every stage of our software development lifecycle (SDLC):

• Secure development practices: All code is developed following secure coding guidelines and undergoes mandatory peer review before being merged into production branches.
• Automated dependency scanning: Our CI/CD pipeline includes automated scanning of all third-party dependencies for known vulnerabilities, with alerts triggered for any critical or high-severity findings.
• Input validation & output encoding: All user input is validated and sanitised on both the client and server side. Output is properly encoded to prevent injection attacks.
• OWASP Top 10 coverage: Our security testing programme is designed to address the OWASP Top 10 web application security risks, including broken access control, cryptographic failures, injection, and security misconfiguration.
• Secure API design: All APIs use authentication tokens, rate limiting, and request validation. API keys and secrets are managed through a dedicated secrets management system and never committed to source code.

As a POS platform, payment security is of particular importance to BANA:

• PCI DSS alignment: Our payment handling practices are aligned with the Payment Card Industry Data Security Standard (PCI DSS). We work exclusively with PCI DSS Level 1-certified payment processors for card transactions.
• Tokenisation: Payment card data is tokenised at the point of entry. BANA systems never store, process, or transmit raw card numbers — only opaque tokens that are meaningless outside the payment processor's environment.
• No plaintext storage: Under no circumstances is payment card data stored in plaintext on any BANA system, database, log file, or backup.
• Payment processor partnerships: We partner with reputable, locally regulated payment processors (including VNPAY, Momo, and ZaloPay) that maintain their own rigorous security and compliance programmes.

We maintain continuous visibility into our systems to detect and respond to threats promptly:

• 24/7 monitoring: Our infrastructure and application systems are monitored around the clock for performance anomalies, error spikes, and security events.
• Anomaly detection: Machine learning-based anomaly detection identifies unusual patterns in API usage, authentication attempts, and data access that may indicate a security threat.
• Intrusion detection: Network and host-based intrusion detection systems (IDS) monitor for suspicious activity, including unauthorised access attempts and lateral movement.
• Centralised logging: All system, application, and security logs are aggregated in a centralised, tamper-resistant logging platform for real-time analysis and historical investigation.

We maintain a documented incident response plan that is tested and updated regularly:

• Defined IR plan: Our incident response plan defines clear roles, responsibilities, escalation paths, and communication procedures for security incidents of all severity levels.
• Severity classification: Incidents are classified by severity (Critical, High, Medium, Low) based on their potential impact on data confidentiality, integrity, and availability, with response time targets for each level.
• Breach notification: In the event of a confirmed data breach, we will notify the data protection authority (Ministry of Public Security) within 72 hours of detection as required by Article 23 of the Personal Data Protection Law No. 91/2025/QH15 and Decree No. 356/2025/ND-CP, and promptly notify affected users with details about the breach, its impact, and our remediation steps.
• Post-incident review: Every security incident is followed by a thorough post-incident review (blameless post-mortem) that identifies root causes, evaluates the effectiveness of the response, and produces actionable improvements to prevent recurrence.

We design our systems and processes to ensure your business data remains available and recoverable, even in the event of significant disruptions:

• Regular backups: All critical data is backed up automatically on a daily basis, with point-in-time recovery capability. Backups are encrypted and stored in a geographically separate location from the primary data.
• Geographic redundancy: Core services are deployed with redundancy across multiple availability zones within Vietnam, ensuring that a single infrastructure failure does not result in service loss.
• Recovery targets: Our disaster recovery programme targets a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour for all critical services.
• Annual DR testing: We conduct formal disaster recovery tests at least once per year, simulating realistic failure scenarios to validate our recovery procedures and identify areas for improvement.

Our people are an integral part of our security posture. We invest in ensuring every team member understands and upholds their security responsibilities:

• Background checks: All Nexpando employees undergo background verification prior to employment, proportionate to their role and level of access to sensitive systems.
• Security awareness training: Every employee completes security awareness training upon joining and at regular intervals thereafter. Training covers topics including phishing recognition, secure data handling, password hygiene, and incident reporting.
• Non-disclosure agreements: All employees and contractors sign non-disclosure agreements (NDAs) that cover confidential business data and customer information.
• Access provisioning & deprovisioning: Access to systems is provisioned based on role requirements and reviewed quarterly. Upon termination or role change, access is revoked or adjusted within 24 hours through automated workflows.

BANA is committed to compliance with all applicable Vietnamese regulations governing data protection, cybersecurity, and financial data handling:

• Personal Data Protection Law No. 91/2025/QH15: We comply with all requirements regarding the collection, processing, storage, and transfer of personal data, including the 7 data subject rights (Article 4), breach notification within 72 hours (Article 23), Data Processing Impact Assessments (DPIA), and cross-border data transfer safeguards (Article 20).
• Decree No. 356/2025/ND-CP: We implement the specific measures required by the implementing decree, including DPIA submission within 60 days of processing commencement, appointment of qualified data protection personnel (DPO), and rapid response procedures for data breach reporting.
• Cybersecurity Law (Law No. 24/2018/QH14) and Decree No. 53/2022/ND-CP: We adhere to data localisation requirements, storing Vietnamese user data on domestic servers (Article 26(3)), maintaining appropriate cybersecurity measures, and cooperating with competent authorities as required by law.
• Ongoing compliance monitoring: Our compliance posture is reviewed continuously through internal audits, policy reviews, and monitoring of regulatory developments. We update our practices promptly in response to new legal requirements or guidance.

We value the security research community and welcome responsible disclosure of vulnerabilities in the BANA platform. If you discover a potential security issue, please report it to us following these guidelines:

• How to report: Send a detailed description of the vulnerability to support@bana.com.vn. Include steps to reproduce, potential impact, and any supporting evidence (screenshots, proof-of-concept code).
• Acknowledgement: We will acknowledge receipt of your report within 24 hours and provide an initial assessment within 5 business days.
• Responsible disclosure: We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it. We aim to resolve confirmed vulnerabilities within 30 days of verification, depending on severity and complexity.
• Recognition: With your permission, we will credit you publicly for your contribution to BANA's security. We do not pursue legal action against researchers who report vulnerabilities in good faith and in accordance with these guidelines.

For security questions, concerns, or to report a vulnerability, please contact us:

• Email: support@bana.com.vn
• Hotline: (+84) 326 205 555
• Responsible entity: Nexpando

We are committed to responding to all security-related enquiries within 24 hours.