IPS . finance

Security and privacy

Protecting the information our customers and partners trust to us.

IPS handles sensitive financial and personal information across every transaction the platform supports. Our security framework and privacy programme are built to the standards appropriate for a regulated payments operator: LGPD compliance for data protection, PCI DSS alignment for cardholder data, encrypted handling of data in transit and at rest, segregation of duties across operational functions, and continuous monitoring of platform security state.

How we handle personal data.

Lei Geral de Proteção de Dados (LGPD) governs the processing of personal data in Brazil. IPS's privacy programme is built to comply with LGPD across all customer-facing operations. The programme operates on the principles LGPD establishes: lawful basis for processing, purpose limitation, data minimisation, accuracy, retention limited to legitimate purposes, security, and accountability. A Data Protection Officer is designated and reachable through the DPO contact channel. The DPO receives and responds to data subject requests — access, correction, deletion, portability, objection, automated decision review — within the statutory timeframes LGPD establishes. The DPO also serves as the company's point of contact with ANPD (Autoridade Nacional de Proteção de Dados) for any matters that require regulatory engagement. Customer data is used only for the purposes for which it was collected. Personal data collected for KYC is used for KYC and AML purposes. Personal data collected for transaction processing is used for transaction processing and the related compliance and audit requirements. Personal data is not sold, not provided to third parties for marketing purposes, and not used for purposes beyond those described in the privacy policy. DPO contact: dpo@ips.finance

How we protect data and operations.

IPS's security framework follows the practices appropriate to a regulated payments operator. Specific operational controls include encryption of data in transit and at rest using industry-standard cryptographic algorithms; segregation of duties across engineering, operations, and compliance functions; access controls based on principle of least privilege; continuous monitoring of platform state and security events; and incident response procedures aligned with regulatory and contractual requirements. Specific operational details — network segmentation patterns, key management procedures, identity provider configurations, the particular security tooling used — are not exposed in public documentation. Exposing these details would assist bad actors. Partner banks, auditors, and regulators with legitimate need to know these details receive them under appropriate information-sharing arrangements.

Cardholder data handled to PCI DSS standards.

Where IPS's operations involve card data — including card-funded inbound flows from foreign customers — the handling complies with the Payment Card Industry Data Security Standard (PCI DSS). Card data functions are outsourced to PCI DSS-validated providers, and IPS does not store, process, or transmit cardholder data on its own systems. The specific PCI DSS classification is set out on the Attestations page. The attestation document itself is not publicly downloadable. The attestation can be provided to acquirers, card brands, and merchants under appropriate information-sharing arrangements.

Data encrypted in transit and at rest.

All data transmitted between IPS systems, between IPS and partner banks, and between IPS and customers is encrypted using industry-standard transport encryption. All data stored within IPS systems is encrypted at rest using industry-standard symmetric encryption. Cryptographic keys are managed through controls appropriate to the sensitivity of the underlying data and the regulatory framework that applies. Personal data and financial data are stored in separate logical systems with appropriate access controls. Cross-system data flows happen through audited APIs rather than through direct database access. The audit trail of data access supports the LGPD accountability principle and the broader audit requirements that apply to regulated financial operations.

Current attestations supporting our posture.

The current attestations and certifications IPS holds are listed on the Attestations page. The attestation list is updated as new certifications are earned or existing ones renewed.