Data protection
- TLS 1.2+ for every connection. HSTS on all customer-facing surfaces.
- AES-256 encryption at rest for the primary database and object storage.
- Customer data isolated per organization via row-level security policies.
- PII fields (names, national IDs, account numbers) hashed or tokenized where the use-case allows.
Access control
- SSO via Google and SAML for the dashboard; role-based access (admin, analyst, viewer).
- OAuth2 client-credentials for the API. Tokens scoped per environment (live vs test) and per permission.
- JWTs signed with RS256 and rotating keys; JWKS published at
/.well-known/jwks.json. - Production access requires hardware-key 2FA and is fully audited.
Audit & observability
- Immutable audit log for every alert decision, case action, and SAR submission.
- Per-organization audit export, on demand, in CSV and JSON.
- Webhook deliveries logged and replayable for 30 days.
Compliance posture
- FATF aligned; goAML-compatible filings.
- NDPR (Nigeria), DPA 2019 (Kenya), POPIA (South Africa) compliant.
- SOC 2 Type II — in progress, targeted 2026.
- ISO 27001 — planned 2027.
Responsible disclosure
If you believe you've found a vulnerability, email security@dev54.dev. We respond within 48 hours and do not pursue good-faith researchers. PGP key available on request.