GetsMotives Ltd · Last updated 17 May 2026
Security Policy
Last updated: 17 May 2026
This Security Policy describes technical and organisational measures GetsMotives Ltd uses to protect GetsMotives and KorePOS and customer data. It supports our Privacy Policy and Data Processing Agreement.
1. Security principles
We design for confidentiality, integrity, and availability, aligned with industry practice for SaaS, POS, and fintech integrations.
2. Organisational measures
- Security awareness training for staff with access to production systems
- Role-based access control and least-privilege principles
- Background checks for roles with elevated access where appropriate
- Incident response procedures with defined roles and escalation paths
- Vendor risk review for material sub-processors
- Secure development lifecycle including code review and dependency monitoring
3. Technical measures
| Area | Controls (summary) |
|---|---|
| Encryption | TLS 1.2+ for data in transit; encryption at rest for databases and backups |
| Authentication | Strong passwords, MFA encouraged for admin accounts, session timeouts |
| Network | Segmentation, firewalls, DDoS mitigation via infrastructure providers |
| Application | Input validation, OWASP-aligned practices, regular patching |
| Logging | Centralised logs, tamper-resistant storage, retention per policy |
| Backups | Regular encrypted backups, tested restore procedures |
| Endpoints | Managed devices for employees accessing production |
4. Payment security
We support payment flows designed to reduce PCI scope (hosted fields, tokenisation, Tap to Pay SDKs). Merchants remain responsible for their environment compliance where card data could be exposed.
We do not store full card numbers or CVV on our core Platform databases.
5. Physical security
Production infrastructure is hosted in certified data centres with physical access controls. Office access is restricted.
6. Incident management
Suspected security incidents should be reported immediately to support@korepos.co.uk with subject line Security Incident.
We will:
- Investigate and contain confirmed incidents
- Notify affected Merchants without undue delay where personal data is compromised, per UK GDPR
- Cooperate with regulators and payment partners as required
7. Vulnerability disclosure
We welcome responsible disclosure reports to support@korepos.co.uk. Please do not test against production without written authorisation. We aim to acknowledge reports within 5 business days.
8. Business continuity
We maintain disaster recovery capabilities targeting restoration of critical Services. RPO/RTO targets are internal and may be shared with enterprise customers under NDA.
9. Your responsibilities
Merchants must:
- Use strong passwords and MFA on admin accounts
- Remove access for departed staff promptly
- Secure physical Devices (Hardware Agreement)
- Report lost Devices or suspected account compromise immediately
10. Updates
We continuously improve controls; this policy may be updated periodically.
11. Contact
support@korepos.co.uk · support@korepos.co.uk
Related: DPA · Payment Terms
GetsMotives Ltd · Flat 42 Regents Court, Stonegrove, Edgware, HA8 8AD, United Kingdom · Company no. 16846219 · VAT Not VAT registered in the United Kingdom
Legal: support@korepos.co.uk · Privacy: support@korepos.co.uk