Security & Compliance

Overview

Security is a foundational pillar of the Kredete platform. This document outlines the security architecture, encryption standards, compliance certifications, and security operational procedures.

Security Certifications & Compliance

Current Certifications

Certification Status Last Audit Next Audit
PCI DSS Level 1 ✅ Active January 2026 January 2027
SOC 2 Type II ✅ Active March 2026 March 2027
ISO 27001:2022 ✅ Active February 2026 February 2027
ISO 27701 ✅ Active February 2026 February 2027

Regulatory Compliance

Regulation Jurisdiction Status
NDPR Nigeria ✅ Compliant
GDPR EU/EEA ✅ Compliant
POPIA South Africa ✅ Compliant
CBN Guidelines Nigeria ✅ Compliant

Encryption Standards

Encryption at Rest

Data Type Algorithm Key Length Key Management
Database (RDS) AES-256-GCM 256-bit AWS KMS
Object Storage (S3) AES-256 256-bit AWS KMS + SSE-S3
Application Data AES-256-GCM 256-bit Vault Transit
Secrets AES-256-GCM 256-bit HashiCorp Vault

Encryption in Transit

Connection Type Protocol Minimum Version
External API TLS 1.3
Internal Services mTLS 1.3
Database TLS 1.2
Message Queue TLS 1.2

Field-Level Encryption

Sensitive fields are encrypted at the application level before database storage:

Encrypted Fields: ├── Customer PII │ ├── national_id_number (AES-256-GCM) │ ├── bank_account_number (AES-256-GCM) │ ├── date_of_birth (AES-256-GCM) │ └── employment_income (AES-256-GCM) ├── Payment Data │ ├── card_number (Tokenized) │ ├── cvv (Never stored) │ └── card_expiry (Tokenized) └── Authentication ├── password (Argon2id hash) └── mfa_secret (AES-256-GCM)

PCI DSS Compliance

PCI DSS Requirements Implementation

Requirement Implementation
Req 1: Network Security VPC, Security Groups, NACLs, WAF
Req 2: Secure Configurations CIS Benchmarks, hardened images
Req 3: Protect Stored Data AES-256 encryption, tokenization
Req 4: Encrypt Transmission TLS 1.3, mTLS
Req 5: Anti-malware CrowdStrike Falcon
Req 6: Secure Development SAST/DAST, code review
Req 7: Access Control RBAC, least privilege
Req 8: Authentication MFA, strong passwords
Req 9: Physical Security AWS data centers (SOC 2)
Req 10: Logging & Monitoring Centralized logging, SIEM
Req 11: Security Testing ASV scans, pen testing
Req 12: Security Policy Documented policies

Authentication & Authorization

Authentication Methods

User Type Primary Auth Secondary Auth Session Duration
Customer (Mobile) PIN/Password Biometric/OTP 30 days
Customer (Web) Password OTP 24 hours
Internal Staff SSO (Okta) TOTP/Hardware Key 8 hours
API Partners OAuth 2.0 N/A 1 hour (token)
Admin/DevOps SSO + PAM Hardware Key 4 hours

Password Requirements

Requirement Value
Minimum Length 12 characters
Complexity Upper, lower, number, special
History Last 12 passwords
Maximum Age 90 days
Lockout Threshold 5 failed attempts
Lockout Duration 30 minutes

Security Monitoring

Security Alert Categories

Severity Examples Response Time Escalation
P1 - Critical Active breach, data exfiltration 15 minutes CISO, CEO
P2 - High Vulnerability exploitation attempt 1 hour Security Lead
P3 - Medium Policy violation, suspicious activity 4 hours Security Team
P4 - Low Informational, failed login attempts 24 hours Analyst review

Vulnerability SLAs

Severity Detection to Patch
Critical (CVSS 9.0-10.0) 24 hours
High (CVSS 7.0-8.9) 7 days
Medium (CVSS 4.0-6.9) 30 days
Low (CVSS 0.1-3.9) 90 days

Security Contacts

Role Contact Availability
CISO ciso@kredete.com Business hours
Security Operations secops@kredete.com 24/7
Security Incident security-incident@kredete.com 24/7
Bug Bounty security@kredete.com Business hours
DPO dpo@kredete.com Business hours
← Previous: Public API Next: Operations Guide →