Overview

Security & compliance

Payments, vault, personal data — the bank-grade level required.

Security is not a layer added at the end. For us, it is built into the architecture itself: the single entry through the gateway, the sealing of roles, the immutability of the log are not options — they are properties of the system.

Defence in depth

An attacker who gets past one barrier finds another behind it. Each level is independent of the others.

LevelMeasureWhat it stops
TransportTLS 1.3, hardened headers (HSTS, CSP)Interception, content injection
AccessTwo-factor authentication (2FA) on extended rolesPassword theft
Authorization7 sealed roles, admin-configurable permissionsPrivilege escalation, cross-project leaks
ApplicationStrict input validation, parameterised queriesSQL injection, XSS
DataEncryption at rest, isolated secretsStolen backup or disk
TraceabilityImmutable audit log of sensitive actionsDispute, trace erasure

The digital vault

This is the room where you keep land titles, contracts and plans. Its spec is that of a vault, not a shared folder:

  • AES-256 encryption per file — a distinct key for each document
  • Certified timestamping of every deposit: a document's entry date is provable
  • Double-confirmation deletion, logged — nothing disappears silently
  • PIN / biometric access on mobile, independent of the app session

Continuity: surviving the incident

  • Encrypted daily backups, 90-day retention, replication across 3 geographic locations
  • Recovery point (RPO) and recovery time (RTO) defined with you and contractualised
  • A restore drill actually run before go-live — with a report to prove it. A backup you have never restored is not a backup; it is a hope.

What we prove before launch

Requirements from your specification — chapters 8 and 9.
  • Penetration tests (OWASP) run before go-live — report delivered, fixes verified
  • Load tests at 2,000+ concurrent users — report delivered, breaking point identified and documented
  • GDPR compliance (your European diaspora clients) and Senegalese law n° 2008-12 on personal data protection
  • Privacy policy and terms of use built into the sign-up journey
ERK+× Vortex-Soft

Vortex-Soft's technical proposal for ERK+, ERK Group's construction project management platform — Dakar, Senegal.

Vortex-Soft
Vortex-Soft
© 2026 Vortex-Soft — DakarConfidential document prepared for ERK Group.