Security

Security

Last updated: June 2026

Kashia handles sensitive data, employee records, salary information, bank details, identity documents, and transaction coordination for escrow services. Security is not a feature we added. It is foundational to how we build and operate the platform. For escrow transactions, all funds are processed and held by a CBN-licensed payment provider, Kashia does not directly custody customer funds.

Infrastructure Security

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • Sensitive data at rest (passwords, bank account numbers, identity documents, payroll data) is encrypted using AES-256 encryption
  • Database backups are encrypted

Hosting

  • Kashia is hosted on enterprise-grade cloud infrastructure with SOC 2 compliance
  • Servers are located in secure data centers with physical access controls, surveillance, and redundant power
  • We use isolated environments for production, staging, and development

Network security

  • Firewalls and intrusion detection systems monitor all traffic
  • DDoS protection is active on all public-facing services
  • Regular vulnerability scanning and penetration testing

Application Security

Authentication

  • Passwords are hashed using bcrypt with appropriate salt rounds, we never store plaintext passwords
  • Two-factor authentication (2FA) is available for all accounts
  • Session tokens expire after inactivity and are invalidated on logout
  • Role-based access control (RBAC) ensures users only access data they're authorized to see

Access control

  • Multi-tenant architecture with strict company-level data isolation, one company's data is never accessible to another
  • Employee data is scoped to the employee's company
  • API endpoints enforce authentication and authorization on every request
  • Administrative access to production systems is restricted and logged

Code security

  • All code changes go through peer review before deployment
  • Automated security testing is part of our development pipeline
  • Dependencies are monitored for known vulnerabilities

Financial Security (Kashia Vault & Payroll)

Escrow funds

  • Kashia does not directly hold or custody customer funds. All escrow funds are processed and held by a CBN-licensed payment provider.
  • Funds are held by our licensed payment provider in designated accounts, separate from Kashia's operating accounts, in accordance with CBN regulations
  • Kashia manages transaction conditions (milestones, approvals, disputes) and instructs our payment provider to release funds only when conditions are met
  • Release of funds requires explicit milestone approval within the Kashia platform or a dispute resolution outcome
  • All fund movements are logged with full audit trails on both Kashia and our payment provider systems

Payroll disbursement

  • Payroll transactions are processed through regulated payment partners
  • Disbursement requires explicit approval within the platform before funds move
  • All payroll transactions are logged and auditable
  • Failed transactions are flagged and retried with notification to administrators

Data Protection

Employee and personal data

  • Personal information is collected only as needed to provide our services
  • Data access follows the principle of least privilege, team members only access what they need
  • Data retention follows legal requirements and our published retention policy
  • Data deletion requests are processed within 30 days (subject to legal retention obligations)

Identity documents

  • ID documents submitted for verification are processed securely and stored encrypted
  • Access to identity documents is restricted to authorized verification personnel
  • Documents are retained only as long as necessary for compliance purposes

Incident Response

  • We maintain an incident response plan for security events
  • Security incidents are investigated immediately upon detection
  • Affected users are notified promptly in the event of a data breach, in accordance with applicable laws
  • Post-incident reviews are conducted to prevent recurrence

Compliance

Kashia is committed to compliance with:

  • Nigeria Data Protection Regulation (NDPR)
  • Nigeria Data Protection Act (NDPA)
  • Applicable financial regulations governing digital transaction coordination and payment facilitation
  • Central Bank of Nigeria (CBN) guidelines as they apply to platforms operating through licensed payment providers
  • Nigerian labor law requirements for employee data handling
  • International best practices for data security and privacy

Note on financial licensing

Kashia does not directly hold, custody, or manage customer funds and therefore does not require a CBN Payment Service Provider (PSP) license for fund custody. All fund processing, holding, and disbursement is handled by our payment provider, which is licensed and regulated by the Central Bank of Nigeria. Kashia operates as a transaction coordination platform that manages deal terms, conditions, and milestone approvals.

Responsible Disclosure

If you discover a security vulnerability in Kashia, we encourage you to report it responsibly. Please email security@kashia.com with details of the vulnerability. We will:

  • Acknowledge your report within 48 hours
  • Investigate and address the issue promptly
  • Keep you informed of our progress
  • Not take legal action against good-faith security researchers

Please do not access or modify other users' data, disrupt our services, or publicly disclose vulnerabilities before we've had a chance to address them.

Security Questions

For questions about Kashia's security practices:

Email: security@kashia.com

Report a vulnerability

If you discover a security issue, please report it responsibly. We acknowledge reports within 48 hours.