R2’s Stance on Security & Privacy

‍

R2 offers a secure embedded lending platform that meticulously addresses all pertinent legal, industry, and regulatory considerations.

At R2, we're hosted in the highly secure cloud environment of Amazon Web Services. Knowing that privacy and trust are paramount in our fintech business, we've taken extra steps to safeguard our customers' data. Our commitment to security is reflected in our information security system, which is aligned with the industry gold standard, ISO 27001, offering an additional layer of protection. Your data's safety is our top priority.

1 - Certifications

ISO 27001:2022

R2 proudly holds the ISO 27001:2022 certification, highlighting our commitment to exceptional security governance and a robust Information Security Management System (ISMS). By adhering to the rigorous standards of ISO 27001, we assure our customers that we maintain the highest level of information security, earning their utmost confidence and trust.

For more information or to request a copy of our ISO 27001:2022 certificate, please contact us at privacidad@r2.co.

2 - Data Protection & Storage

Data Storage & Segregation

Customer data is securely separated and encrypted within the R2 AWS environment. 

Data Encryption

APIs support TLS. Customer data stored within our systems is encrypted utilizing Amazon's encryption services with AES-256 encryption keys.

3 - Data Management & User Access Control

Data Governance

At R2, we prioritize the security and classification of data and information systems. To ensure appropriate protection, we classify information based on legal requirements, sensitivity, and business criticality. Data processors play a crucial role in identifying specific requirements or exceptions, and our information systems and applications are classified according to the highest level of data they store or process.

Data Classification

We meticulously label data based on confidentiality levels. Confidential data, such as Personally Identifiable Information (PII) and strategic plans, is highly sensitive and strictly restricted. Restricted data, including internal policies and legal documents, requires thorough protection, while Public data can be freely distributed outside R2.

Data Handling

We implement specific handling requirements for each data classification. Confidential data demands rigorous protection, including encryption, restricted access, and secure disposal. Restricted data requires limited access based on business needs, and Public data can be freely distributed without special controls.

Data Retention and Disposal

R2 retains data as long as needed, complying with regulatory and contractual requirements. Data processors, with legal counsel consultation, determine retention periods. Confidential and Restricted data are securely disposed of in compliance with regulations. Compliance with data policies is ensured through various methods, including audits.

Data Policy Compliance and Security Measures

We measure and verify policy compliance through reports, internal/external audits, and various methods. Security measures, including password management, access control, encryption, incident response, and comprehensive protocols, are implemented. Regular training, audits, vulnerability management, business continuity, and supply chain security contribute to a robust security framework. Continuous improvement, risk management, and incident reporting ensure a proactive and resilient security posture at R2.

4 - Compliance

At R2, we prioritize compliance through meticulous Know Your Customer (KYC) and Enhanced Due Diligence (EDD) processes.

KYC (Know Your Customer)

Our KYC process is designed to meet Anti-Money Laundering (AML) regulations and address regulatory risks comprehensively. We focus on gaining a clear understanding of the client's identity and purpose, ensuring adherence to country-specific regulatory standards. Our approach emphasizes efficiency and client satisfaction, aiming to collect only necessary documentation to minimize client burden and streamline the process. This commitment underscores our dedication to providing a seamless and client-friendly experience.

Enhanced Due Diligence

In cases where deemed necessary, especially based on financing amounts, we conduct Enhanced Due Diligence (EDD). Going beyond KYC, this process involves a more thorough analysis to mitigate legal and fraud risks. As part of EDD, we proactively check for matches on negative news or restricted lists, further enhancing our commitment to a robust and secure financial environment.

5 - Privacy

Data Ownership

R2 customers are the owners of personal data, which are sent through the R2 platform for processing. R2 obtains consent from customers through acceptance of its privacy policy, which allows R2 to process personal data in accordance with the purposes established in the aforementioned policy. Likewise, this policy establishes the rights that each owner of personal data has in accordance with the applicable regulations (access, modification, deletion, among others).

Personally Identifiable Information/Personal Data

In R2, the security and privacy of our customers' personal data are paramount. We implement various measures to safeguard Personal Identifiable Information (PII) information, including encryption in transit and at rest, utilizing AWS key management services to enhance security.

It is crucial to note that all PII data is classified as such and undergoes distinct access treatment compared to any other data within the company. Additionally, we conduct periodic access audits, implementing all controls over PII as outlined by the ISO 27001 standard. This ensures a comprehensive and robust approach to protecting sensitive information and upholding the highest standards of data security.

6 - Contact

For inquiries regarding security and compliance, please contact security@r2.co. For privacy-related questions, please contact privacidad@r2.co.