Skip to Content

Security Policy

Policies Links

Privacy Policy

Terms & Conditions

Security Policy

Shipping Policy

Refund Policy

Cookie Policy

Merchant Policy

Rider Policy

Company: MISMO PH Digital Solutions OPC

Policy Version: 1.0.1

Effective Date: January 2026

Last Updated: January 2026

Applicability: All Users, Employees, Contractors, and Third-Party Service Providers

1. POLICY STATEMENT AND COMMITMENT

MISMO PH Digital Solutions OPC ("MISMO," "we," "us," or "our") maintains an uncompromising commitment to information security. This Security Policy defines the comprehensive framework of administrative, technical, and physical safeguards implemented to protect the confidentiality, integrity, and availability of our Platform, data, and systems. Our security program is designed to comply with the Philippine Data Privacy Act of 2012 (RA 10173) and international best practices, ensuring trust and safety for all Users, employees, and partners.

2. SECURITY GOVERNANCE AND ORGANIZATION

2.1 Security Leadership

A dedicated Security Committee, chaired by the Chief Technology Officer (CTO) and including the Data Protection Officer (DPO), governs all security matters. This committee is responsible for setting security strategy, approving policies, overseeing risk management, and directing incident response.

2.2 Organizational Responsibilities

Executive Management holds ultimate accountability for security governance. The Development Team implements secure coding practices and vulnerability management. The Operations Team manages infrastructure security, monitoring, and access controls. All employees and contractors must comply with security policies and report incidents. Users are responsible for maintaining their account security.

3. ACCESS CONTROL AND IDENTITY MANAGEMENT

3.1 Principle of Least Privilege

Access to systems and data is strictly governed by the principle of least privilege. Users are granted only the minimum permissions necessary to perform their authorized functions.

3.2 Strong Authentication

We enforce strong password policies requiring a minimum of 12 characters with complexity. All passwords are hashed using bcrypt with unique salts. Multi-Factor Authentication (MFA) is mandatory for all administrative accounts and strongly recommended for all User accounts. Sessions automatically terminate after 15 minutes of inactivity using secure, managed tokens.

3.3 Access Lifecycle Management

User access rights are provisioned, modified, and de-provisioned through a formal process. Access reviews are conducted quarterly. Access is immediately revoked upon account termination or role change.

4. DATA PROTECTION AND ENCRYPTION

4.1 Data Classification Framework

All data is classified into three categories:

  • Restricted Data: Includes highly sensitive information such as government ID numbers, full financial account data, and authentication credentials. This data requires the strongest encryption and most restrictive access controls.

  • Confidential Data: Includes transaction details, user profiles, and business records. This data requires encryption and controlled access.

  • Public Data: Includes non-sensitive information like public merchant details. This data requires basic integrity protection.

4.2 Encryption Standards

All data in transit is protected using TLS 1.3 encryption with Perfect Forward Secrecy enabled. Data at rest, including databases and backups, is encrypted using AES-256. Sensitive database fields use column-level encryption. Encryption keys are managed using a Hardware Security Module (HSM) or a certified cloud key management service with automatic key rotation every 90 days.

4.3 Secure Data Handling Practices

We adhere to data minimization principles, collecting only the information necessary for service provision. All user input is validated and sanitized to prevent injection attacks. Output is properly encoded to mitigate cross-site scripting risks.

5. NETWORK AND SYSTEM SECURITY

5.1 Defense-in-Depth Architecture

Our network employs a segmented architecture with isolated environments for production, staging, and development. A Web Application Firewall (WAF) protects against the OWASP Top 10 vulnerabilities. Distributed Denial of Service (DDoS) protection is deployed at the network perimeter.

5.2 Endpoint and Infrastructure Security

Company-issued employee devices require mandatory endpoint protection, full disk encryption, and mobile device management. We provide security guidelines for Riders using personal devices for the Platform. All APIs are secured with rate limiting, authentication, and comprehensive logging.

5.3 Proactive Vulnerability Management

We conduct weekly automated vulnerability scans across all systems. Annual penetration tests are performed by accredited third-party security firms. We maintain a strict patch management policy: critical security patches are applied within 72 hours, and all patches within 30 days of release. Third-party software dependencies are continuously monitored for vulnerabilities.

6. PHYSICAL AND ENVIRONMENTAL CONTROLS

6.1 Data Center Security

We utilize cloud service providers that maintain SOC 2 Type II and ISO 27001 certified data centers. These facilities feature 24/7 physical security, biometric access controls, comprehensive video surveillance, advanced fire suppression, and redundant power and cooling systems.

6.2 Corporate Security

Our offices employ access control systems with audit trails. A clean desk policy is enforced for sensitive information. All physical media containing sensitive data is securely destroyed via cross-cut shredding.

7. MONITORING, LOGGING, AND DETECTION

7.1 Comprehensive Activity Logging

We maintain centralized logs for all security-relevant events including authentication attempts, administrative actions, data access, network traffic, and API calls. Logs are retained for a minimum of one year.

7.2 Continuous Security Monitoring

Our Security Operations Center (SOC) provides 24/7 monitoring using Security Information and Event Management (SIEM) tools. We have configured real-time alerts for suspicious activities such as brute-force login attempts, anomalous data access patterns, and geographic irregularities in account usage.

8. INCIDENT RESPONSE AND BREACH MANAGEMENT

8.1 Incident Severity and Response

Security incidents are classified by severity to guide response efforts. Critical incidents, such as system compromises or data breaches, trigger immediate response within one hour. High-severity incidents require response within four hours, medium within 24 hours, and low within 72 hours.

8.2 Structured Response Protocol

Our incident response process includes: immediate detection and reporting via security@mismo.ph; swift containment to limit damage; thorough investigation to determine root cause and scope; complete eradication of threat vectors; careful recovery of systems; and a formal post-incident review to implement improvements.

8.3 Regulatory Breach Notification

In compliance with the Data Privacy Act, any confirmed data breach involving personal information will be reported to the National Privacy Commission (NPC) within 72 hours of discovery. Affected individuals will be notified without undue delay when the breach poses a real risk of serious harm, with clear communication regarding the nature of the breach and remedial actions.

9. THIRD-PARTY AND SUPPLY CHAIN SECURITY

9.1 Rigorous Vendor Assessment

All third-party service providers undergo a security assessment prior to engagement. This includes review of their security certifications, control practices, data handling procedures, and contractual security commitments.

9.2 Contractual Security Obligations

Contracts with vendors mandate specific security requirements, including data protection clauses, immediate security incident notification, audit rights for MISMO, and secure data return or destruction upon contract termination.

10. BUSINESS CONTINUITY AND RESILIENCY

10.1 Business Impact Analysis

We regularly perform business impact analyses to identify critical functions and define recovery objectives, including Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO).

10.2 Robust Backup Strategy

Daily incremental and weekly full backups are performed. Backups are retained for 30 days (daily) and one year (weekly), stored in encrypted form across geographically separate locations. Backup integrity is verified through quarterly restoration tests.

10.3 Documented Disaster Recovery

A formal Disaster Recovery Plan outlines procedures for various disruption scenarios. Recovery teams are designated with clear responsibilities. The plan is tested and updated through semi-annual drills.

11. SECURITY AWARENESS AND CULTURE

11.1 Employee Training Program

All employees complete mandatory security awareness training upon hiring and annually thereafter. Technical staff receive role-specific training. We conduct quarterly phishing simulation exercises to reinforce vigilance.

11.2 User Security Empowerment

We provide Users with clear security guidelines on creating strong passwords, enabling MFA, recognizing phishing attempts, securing personal devices, and safely using the Platform on public networks.

12. COMPLIANCE, AUDIT, AND ASSURANCE

12.1 Regulatory Adherence

Our security program is designed to ensure ongoing compliance with the Philippine Data Privacy Act, relevant provisions of the Cybercrime Prevention Act, and payment card industry standards where applicable.

12.2 Internal and External Audits

We conduct quarterly internal security audits and an annual comprehensive review by the Security Committee. We undergo annual third-party security assessments and engage external auditors for regulatory compliance verification.

13. POLICY MAINTENANCE AND REVIEW

This Security Policy is a living document. It is reviewed and approved by the Security Committee at least annually, or more frequently in response to significant changes in business operations, technology, regulatory landscape, or the threat environment.

14. CONTACT AND REPORTING PROCEDURES

Security Vulnerabilities and Incidents: Report to legal@mismo.ph

Emergency Security Contact: Number

Physical Security Reports: Tacloban City Leyte

We operate a responsible disclosure program and welcome cooperation from the security research community. Please refer to our Vulnerability Disclosure Policy for submission guidelines.