RC: 1758373

RemitPro Data Masking Policy (Control 8.11)

1. Purpose

This policy defines RemitPro’s approach to data masking to protect sensitive and confidential information from unauthorized access, in accordance with ISO/IEC 27001:2022 Control 8.11. The goal is to ensure that sensitive data is only visible to authorized personnel and is masked or anonymized for all other use cases, such as testing, analytics, and training.

2. Scope

This policy applies to all RemitPro employees, contractors, third-party service providers, and systems that process, store, or transmit sensitive information, including:

  • Customer personal data (e.g., names, addresses, phone numbers)
  • Payment and transaction data (e.g., account numbers, card details)
  • Authentication credentials (e.g., passwords, API keys)
  • Proprietary business information

3. Policy Statement

RemitPro shall implement data masking techniques to protect sensitive data in non-production and public-facing environments. Data masking will ensure that original values cannot be derived or reverse-engineered from the masked data, thus minimizing security and privacy risks.

4. Data Masking Techniques

RemitPro may use one or more of the following techniques based on the data type and context:

  1. Substitution – Replacing sensitive values with fictitious but realistic alternatives.
  2. Shuffling – Randomly rearranging data within a dataset to obscure real values.
  3. Nulling or Blanking Out – Replacing sensitive fields with null or empty values.
  4. Encryption with Masked Display – Storing data in encrypted form while displaying only partial details (e.g., showing last four digits of a card number).
  5. Character Masking – Replacing characters with symbols (e.g., “XXXX-XXXX-1234”).

5. Implementation Guidelines

  • Default Masking in Non-Production Environments – All sensitive data shall be masked in testing, development, and training environments.
  • Role-Based Access Control (RBAC) – Only authorized personnel with a legitimate business need may access unmasked data.
  • Partial Masking in Production – Customer-facing systems must display only necessary portions of sensitive data (e.g., masked account numbers).
  • Auditing & Monitoring – Masking processes and access to unmasked data shall be logged and reviewed periodically.
  • Regular Review – Data masking procedures shall be reviewed annually or when there are significant changes to data processing operations.

6. Responsibilities

  • Information Security Team – Define and maintain masking standards, tools, and procedures.
  • System Owners & Developers – Implement masking in applications, databases, and data pipelines as per security requirements.
  • Compliance Team – Verify masking controls align with ISO 27001 and applicable privacy regulations.

7. Compliance

Failure to comply with this policy may result in disciplinary action, termination of access privileges, and potential legal consequences.

8. Review & Approval

This policy shall be reviewed at least annually or whenever there are changes in data handling practices.

  • Last Review Date: 11 August 2025
  • Approved By: Data Protection Officer, RemitPro Ltd