Publisher Onboaring Compliance

1. Compliance Certifications

Coda Payments processes fewer than the threshold of 6 million credit and debit card transactions required for the PCI DSS Level 1 compliance level which constitutes a minority of the transactions processed by our Codashop users. Coda Payments self-assesses its PCI DSS compliance with the SAQ A-EP form and self-attests to that compliance annually. Hence Coda Payments do not have any independent PCI certification as we work with a number of major card payments PSPs which are PCI certified
  Data Privacy regulations - GDPR, CCPA,
  PDPA, LGPD etc.
Coda Payments has the required technical and organizational measures as well as policies and procedures in place such as those to provide for data subject rights requests, personal data breach notification, etc. in line with the requirements of the various data privacy regulations including EU-GDPR, Singapore PDPA and the US CCPA
  ISO 27001, SOC 2 Type II
Coda Payments is currently not certified with ISO 27001 or SOC 2.
  Monetary Authority of Singapore (MAS)
  Technology Risk Management (TRM)
Coda Payments is pursuing MAS technology risk management compliance certification for fintech companies based in Singapore.

2. General Compliance

   Codashop's business model compliant with
   Google and Apple's 3rd party payment    policy.
Apple’s guidelines state that if an app operates across multiple platforms, users can access content acquired in the app, including consumable items in multi-platform games, provided that those items are also available as in-app purchases within the iOS version. This means that publishers should just ensure that content available for sale through Codashop can also be available for purchase using Apple’s in-app purchases.

Google’s payments policy also recognizes that developers can use alternative payment methods outside of an app. Within an app, users cannot be led to alternative payment methods for in-app purchases of digital goods and services distributed on Google Play, but publishers are free to communicate with users about alternative payment options outside of an app.

These policies may become more permissive in the future as more jurisdictions expressly legislate in favor of clarifying that other in-app payment methods can be used. Some countries and regions have already done so; for example, South Korea, the Netherlands and the European Union.

In short, publishers that monetize using Codashop and do not communicate with users about this option inside the versions of their apps distributed through the Apple App Store and Google Play Store are compliant with Google and Apple’s policies.

3. Data Privacy

   Personal Identifiable Information
Personal data points that Coda Payments collects from Codashop users in its capacity as an independent data controller.

Personal and contact details of the players such as first name, last name, email address, phone number (depending upon the product/service/use case);Account details of the players such as in-app/in-game ID/publisher affiliation;Device data such as IP address;Correspondence data;Order data such as transaction ID etc.Cookies and/or statistical/analytical data;Documentation that help us verify the accuracy of the information provided by our users if it is required for fulfilling certain obligations or for providing certain services;Social media links or public profiles of our users if they submit it; andUser account passwords.

Personal data points that Coda Payments may share with the publishers (Depending upon the terms of the Data Processing Agreements and the relevant data privacy regulations as well as the purpose / requirement):

Personal and contact details of the players such as first name, last name, email address, phone number;Account details of the players such as in-app/in-game ID/publisher affiliation;Device data such as IP address;Correspondence data;Order data such as transaction ID etc.

Personal data points that Coda Payments collects from publishers1. Professional and contact details of publisher’s authorized signatories and employees;2. KYC and compliance information; and
  Coda Payments's role as a Data Controller
1. Coda Payments's role in the data processing arrangement is that of an independent data controller, as such, our template reflects a controller to controller arrangement along with a provision for controller to processor transfers (Coda Payments as a processor) in the off chance that data is transferred to Coda Payments by the publisher in the capacity of a data controller and to safeguard the publisher interests therein.

2. This is owing to the hybrid nature of Coda Payments's business model, wherein Codapay is provided as a bundled service along with Codashop. In a normal payment service provider model Coda Payments would have been a data processor.

3. Codashop is an independent e-commerce website / marketplace operated by Coda Payments through which Coda Payments provides content monetisation service to publishers. It has its own user base, these users visit Codashop to purchase content or top-up their in-game accounts with in-game currencies (digital goods) which are posted for sale on the Codashop website.

4. While doing so, these end users accept Coda Payments's terms and conditions and privacy policies and become a Codashop customer to avail the digital goods. In this user journey, user data is directly collected by Coda Payments for its own purposes mentioned in its privacy policy which is displayed on the Codashopwebsite. The publishers of the game titles do not come into the picture from a data privacy / collection or transfer perspective in this user journey.

5. As such, both the parties are independent controllers of the data they collect directly from the end users.
   Data Security
Coda Payments adopts an insight driven framework for implementation of our data security program. A data dictionary/glossary is consolidated to record all types of sensitive data, which will cross-reference the policies and procedures required in the data classification. This is used in conjunction with a data loss prevention platform to detect and block leakage of sensitive data, followed by continuous assessment and updates of the underlying controls to ensure the relevancy and effectiveness of changing threats, business practices and landscape.
Coda Payments implements encryption standards based on industry best practices and to meet regulatory/compliance requirements such as AES-256 database encryption algorithms to protect the sensitive data at rest and where applicable, TLS1.2 and above, with reputed certificate authority signed certificates with 2048 bit RSA keys to secure the sensitive data in transmit.

4. Application Security

   Penetration Testing
Coda Payments performs both manual and automated penetration testing to identify any vulnerabilities on our Internet-facing and internal applications. This also includes API specific testing of vulnerabilities to include business logic and transaction flows.
  Static Code Analysis
Coda Payments performs static source code scanning at the development and at the deployment stage to identify any vulnerabilities at the code level.
  Secure Software Development Lifecycle
Coda Payments implements a secure software development lifecycle and provides secure coding training to all engineers to enhance secure coding practices.

5. Network Security

  Network Monitoring
Coda Payments network is placed behind zero trust network, integrated with the use of security services to continuously monitor, audit and analyse any suspicious or malicious network traffic.
  Network Vulnerability Scanning
Coda Payments performs regular network vulnerability scanning to discover any vulnerable ports or unused services to reduce exposure to network exploits and attacks.
  Denial of Service Mitigation
Coda Payments employs DDoS mitigation to block external DDoS attacks with edge network, reliable infrastructure and a variety of mitigation systems.

6. Security Operations

  Website Phishing and Social Media
Coda Payments engages a dedicated security partner who specialises in website phishing and fake social media impersonation to perform continuous detection of these Internet threats and perform an enforcement action to remove them.
  Malware Protection
Coda Payments implements a behavioural-based anti-malware system integrated with endpoint detection response capability to detect different types of malware attack and perform the incident response procedures.
  Infrastructure Monitoring
Coda Payments implements infrastructure monitoring to detect different types of infrastructure threats ranging from network intrusion, unauthorised access, exfiltration, privilege escalation and other types of anomalous activity.

7. Access Control Management

  2-factor authentication
Coda Payments implements multi-factor authentication via different channels across various systems and platforms.
  Access Controls
Coda Payments defines authorizational role-based access controls to grant different roles with respective permissions according to the responsibilities of each user.
  Auditing and Logging
Coda Payments logs all user access and user management activities for proper accountability, audit and investigation purposes.

8. Human Resource Security

  Security Awareness Training
Coda Payments conducts continuous security awareness training to all staff to educate them on real life scenarios and case studies. This ensures secure responses to various daily security-related events.
  Data Privacy Training
Coda Payments conducts continuous data privacy training to all staff including contractors, consultants and interns on an annual basis to educate and prepare them to handle personal data in different day-to-day situations which they could come across in their work. Besides, focused training is also provided to certain staff members from certain functions who are engaged in significant data processing activities.
  Phishing Exercises
Coda Payments conducts continuous internal email phishing exercises to increase awareness of latest phishing attacks and methods to ensure secure handling of these emails.