Spoynt Limited (hereinafter referred to as "Spush," "we," "us," or "our") is a payment company committed to ensuring the security and integrity of its services and the protection of its users (hereinafter referred to as "Users," "you," or "your"). This Security Awareness Document (hereinafter referred to as the "Document") establishes the policies, procedures, and responsibilities governing the use of the Spush Account (hereinafter referred to as the "Account"). Our objective is to safeguard your Personal Data and Financial Data while maintaining compliance with applicable UK and EU regulations, including the UK GDPR, EU GDPR, and Payment Services Directive (PSD2).

This Document aims to:

• Educate Users on their critical role in maintaining Account security.
• Provide detailed guidance on protecting sensitive information and preventing security threats.
• Ensure adherence to legal and regulatory frameworks governing payment services and data protection.
• Promote best practices for security awareness within the financial services industry.

By accessing or using your Spush Account, you acknowledge your obligation to comply with the practices and responsibilities outlined herein. Non-compliance may result in Account suspension or termination, as stipulated in the https://spush.co.uk/terms-and-conditions.

For the purposes of this Document, the following terms are defined:

• "Account": The user account established with Spush to access payment services.
• "Personal Data": As defined by the UK GDPR and EU GDPR, any information relating to an identified or identifiable natural person.
• "Financial Data": Information pertaining to your financial transactions, payment methods, or banking details processed via the Account.
• "Security Incident": Any unauthorized access, disclosure, alteration, or destruction of Personal Data or Financial Data, or any event compromising Account security.
• "Phishing": A fraudulent attempt to obtain sensitive information by impersonating a legitimate entity, typically via email or electronic communication.
• "Multi-Factor Authentication (MFA)": A security process requiring multiple verification methods (e.g., password and a one-time code) to access the Account.
• "PSD2": The Payment Services Directive (EU) 2015/2366, as transposed into UK law, regulating payment services and security standards.

Additional definitions may appear within specific sections as necessary.

3.1. General Duties
You are integral to the security of your Spush Account and must:

• Protect your Account credentials (e.g., username, password, MFA tokens) from disclosure.
• Implement and maintain strong, unique passwords as outlined in Section 4.
• Enable MFA where provided to enhance Account security.
• Monitor your Account for unauthorized activity and report anomalies promptly (see Section 7).
• Use the Account solely for lawful purposes in accordance with Spush policies and applicable laws.

3.2. Prohibited Conduct
You shall not:

• Disclose Account credentials to any third party, including Spush representatives (Spush will never request your password).
• Engage in activities that undermine the security or functionality of the Spush platform.
• Attempt to circumvent security controls, such as MFA or encryption mechanisms.

Non-compliance with these obligations may lead to Account restrictions and potential legal consequences.

4.1. Password Standards
To secure your Account, passwords must:

• Contain a minimum of 12 characters.
• Include a mix of uppercase and lowercase letters, numbers, and special characters (e.g., !, @, ).
• Exclude predictable patterns, personal information (e.g., name, birthdate), or common words.

4.2. Password Maintenance

• Uniqueness: Use a distinct password for your Spush Account, not replicated elsewhere.
• Updates: Change your password every six months or immediately if a breach is suspected.
• Confidentiality: Do not write down or electronically store passwords in unsecured locations.

4.3. Password Recovery
If your password is forgotten or compromised:

• Utilize the "Forgot Password" feature on the Spush login portal to initiate a secure reset.
• Create a new password adhering to the standards in Section 4.1.
• Contact Spush Support support@spush.co.uk if you suspect unauthorized access during this process.

5.1. Overview
Phishing and social engineering are prevalent threats targeting Users to extract sensitive information. These attacks often masquerade as legitimate communications from Spush or other trusted entities.

5.2. Identifying Threats
Be alert for:

• Unsolicited requests for credentials, Personal Data, or Financial Data.
• Messages with vague salutations (e.g., "Dear User") instead of your name.
• Suspicious links, attachments, or urgent demands for action.
• Inconsistent formatting, typos, or unnatural phrasing.

5.3. Preventive Measures

• Verification: Confirm the legitimacy of any Spush communication via official channels support@spush.co.uk
• Avoid Interaction: Refrain from clicking links or opening attachments in unsolicited messages.
• Official Access: Access your Account only through the Spush website or app.
• Reporting: Forward suspected phishing attempts to support@spush.co.uk and delete them immediately.

6.1. Spush’s Data Protection Obligations
Spush adheres to the UK GDPR, EU GDPR, and other data protection laws by:

• Encrypting Personal Data and Financial Data during transmission and storage.
• Conducting regular security assessments to identify and address vulnerabilities.
• Restricting data access to authorized personnel under strict controls.

Refer to the Spush Privacy Policy https://spush.co.uk/privacy-policy for a comprehensive overview of data handling practices.

6.2. User Obligations
To support these efforts, you must:

• Secure devices used to access your Account with updated antivirus software and firewalls.
• Avoid public or unsecured Wi-Fi networks for Account access unless protected by a VPN.
• Log out of your Account after use, particularly on shared or public devices.
• Refrain from sharing sensitive data via unsecured methods (e.g., unencrypted email).

6.3. Data Subject Rights
Per the UK GDPR and EU GDPR, you may request access, correction, deletion, or restriction of your Personal Data. Submit such requests to privacy@spush.co.uk, and we will respond within statutory timeframes.

7.1. Obligation to Report
You must report any suspected or confirmed Security Incident—such as unauthorized Account access, data leaks, or phishing attempts—to Spush without delay.

7.2. Reporting Procedure

• Contact: Notify Spush via email at support@spush.co.uk
• Details: Provide the incident’s date, time, nature, and any actions taken (e.g., password reset).
• Follow-Up: Adhere to any additional instructions provided by Spush during the investigation.

7.3. Spush’s Response Protocol
Upon notification, Spush will:

• Investigate the incident expeditiously.
• Implement measures to secure your Account and mitigate risks.
• Notify regulatory bodies (e.g., ICO) if mandated by law, such as under UK GDPR.
• Update you on resolution steps, where permissible.

8.1. Applicable Laws
Spush operates under:

• UK GDPR and EU GDPR: Governing Personal Data protection.
• PSD2: Mandating strong customer authentication and secure payment processing.
• FCA Rules: Ensuring consumer protection and financial integrity in the UK.

8.2. Compliance Measures
Spush ensures compliance by:

• Enforcing MFA and SCA for Account access and transactions per PSD2.
• Regularly auditing security systems for vulnerabilities.
• Providing transparent data processing information as required by GDPR.
• Maintaining robust incident response plans aligned with regulatory standards.

8.3. User Compliance
You must:

• Adhere to all laws applicable to your use of the Account.
• Provide accurate information for identity verification and AML compliance.
• Assist Spush in resolving security or compliance issues as requested.

9.1. Transaction Oversight

• Review your Account activity weekly for irregularities.
• Enable transaction alerts for amounts exceeding £3000, if available.

9.2. Payment Security

• Use Spush-provided secure payment options (e.g., tokenized cards) to limit data exposure.
• Avoid storing payment details on unsecured devices or third-party platforms.

9.3. Device Protection

• Install and update security software on all devices accessing your Account.
• Activate device locks (e.g., PIN, biometrics) to prevent unauthorized use.

9.4. Network Safety
Refrain from Account use on public Wi-Fi unless encrypted via a VPN.
Verify network security before conducting transactions

For inquiries or assistance related to this Document:
Spoynt Limited
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email: support@spush.co.uk

Responses will be provided within 10 business days.

By using the Spush Account, you confirm your understanding of and agreement to abide by this Document. Non-compliance may result in Account suspension, termination, or legal action.