Infrastructure Security
Encryption
- All data in transit is encrypted using TLS 1.2 or higher
- Sensitive data at rest (passwords, bank account numbers, identity documents, payroll data) is encrypted using AES-256 encryption
- Database backups are encrypted
Hosting
- Kashia is hosted on enterprise-grade cloud infrastructure with SOC 2 compliance
- Servers are located in secure data centers with physical access controls, surveillance, and redundant power
- We use isolated environments for production, staging, and development
Network security
- Firewalls and intrusion detection systems monitor all traffic
- DDoS protection is active on all public-facing services
- Regular vulnerability scanning and penetration testing
Application Security
Authentication
- Passwords are hashed using bcrypt with appropriate salt rounds, we never store plaintext passwords
- Two-factor authentication (2FA) is available for all accounts
- Session tokens expire after inactivity and are invalidated on logout
- Role-based access control (RBAC) ensures users only access data they're authorized to see
Access control
- Multi-tenant architecture with strict company-level data isolation, one company's data is never accessible to another
- Employee data is scoped to the employee's company
- API endpoints enforce authentication and authorization on every request
- Administrative access to production systems is restricted and logged
Code security
- All code changes go through peer review before deployment
- Automated security testing is part of our development pipeline
- Dependencies are monitored for known vulnerabilities
Financial Security (Kashia Vault & Payroll)
Escrow funds
- Kashia does not directly hold or custody customer funds. All escrow funds are processed and held by a CBN-licensed payment provider.
- Funds are held by our licensed payment provider in designated accounts, separate from Kashia's operating accounts, in accordance with CBN regulations
- Kashia manages transaction conditions (milestones, approvals, disputes) and instructs our payment provider to release funds only when conditions are met
- Release of funds requires explicit milestone approval within the Kashia platform or a dispute resolution outcome
- All fund movements are logged with full audit trails on both Kashia and our payment provider systems
Payroll disbursement
- Payroll transactions are processed through regulated payment partners
- Disbursement requires explicit approval within the platform before funds move
- All payroll transactions are logged and auditable
- Failed transactions are flagged and retried with notification to administrators
Data Protection
Employee and personal data
- Personal information is collected only as needed to provide our services
- Data access follows the principle of least privilege, team members only access what they need
- Data retention follows legal requirements and our published retention policy
- Data deletion requests are processed within 30 days (subject to legal retention obligations)
Identity documents
- ID documents submitted for verification are processed securely and stored encrypted
- Access to identity documents is restricted to authorized verification personnel
- Documents are retained only as long as necessary for compliance purposes
Incident Response
- We maintain an incident response plan for security events
- Security incidents are investigated immediately upon detection
- Affected users are notified promptly in the event of a data breach, in accordance with applicable laws
- Post-incident reviews are conducted to prevent recurrence
Compliance
Kashia is committed to compliance with:
- Nigeria Data Protection Regulation (NDPR)
- Nigeria Data Protection Act (NDPA)
- Applicable financial regulations governing digital transaction coordination and payment facilitation
- Central Bank of Nigeria (CBN) guidelines as they apply to platforms operating through licensed payment providers
- Nigerian labor law requirements for employee data handling
- International best practices for data security and privacy
Note on financial licensing
Kashia does not directly hold, custody, or manage customer funds and therefore does not require a CBN Payment Service Provider (PSP) license for fund custody. All fund processing, holding, and disbursement is handled by our payment provider, which is licensed and regulated by the Central Bank of Nigeria. Kashia operates as a transaction coordination platform that manages deal terms, conditions, and milestone approvals.
Responsible Disclosure
If you discover a security vulnerability in Kashia, we encourage you to report it responsibly. Please email security@kashia.com with details of the vulnerability. We will:
- Acknowledge your report within 48 hours
- Investigate and address the issue promptly
- Keep you informed of our progress
- Not take legal action against good-faith security researchers
Please do not access or modify other users' data, disrupt our services, or publicly disclose vulnerabilities before we've had a chance to address them.
Security Questions
For questions about Kashia's security practices:
Email: security@kashia.com
Report a vulnerability
If you discover a security issue, please report it responsibly. We acknowledge reports within 48 hours.