Overview
Security & compliance
Payments, vault, personal data — the bank-grade level required.
Security is not a layer added at the end. For us, it is built into the architecture itself: the single entry through the gateway, the sealing of roles, the immutability of the log are not options — they are properties of the system.
Defence in depth
An attacker who gets past one barrier finds another behind it. Each level is independent of the others.
| Level | Measure | What it stops |
|---|---|---|
| Transport | TLS 1.3, hardened headers (HSTS, CSP) | Interception, content injection |
| Access | Two-factor authentication (2FA) on extended roles | Password theft |
| Authorization | 7 sealed roles, admin-configurable permissions | Privilege escalation, cross-project leaks |
| Application | Strict input validation, parameterised queries | SQL injection, XSS |
| Data | Encryption at rest, isolated secrets | Stolen backup or disk |
| Traceability | Immutable audit log of sensitive actions | Dispute, trace erasure |
The digital vault
This is the room where you keep land titles, contracts and plans. Its spec is that of a vault, not a shared folder:
- AES-256 encryption per file — a distinct key for each document
- Certified timestamping of every deposit: a document's entry date is provable
- Double-confirmation deletion, logged — nothing disappears silently
- PIN / biometric access on mobile, independent of the app session
Continuity: surviving the incident
- Encrypted daily backups, 90-day retention, replication across 3 geographic locations
- Recovery point (RPO) and recovery time (RTO) defined with you and contractualised
- A restore drill actually run before go-live — with a report to prove it. A backup you have never restored is not a backup; it is a hope.
What we prove before launch
Requirements from your specification — chapters 8 and 9.
- Penetration tests (OWASP) run before go-live — report delivered, fixes verified
- Load tests at 2,000+ concurrent users — report delivered, breaking point identified and documented
- GDPR compliance (your European diaspora clients) and Senegalese law n° 2008-12 on personal data protection
- Privacy policy and terms of use built into the sign-up journey

