Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

Technical Measures

• Encryption in transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
• Password security: Passwords are never stored in plain text. They are cryptographically hashed using Keycloak's built-in hashing algorithms.
• Card number masking: Full card numbers (PANs) for virtual cards are never displayed. Only the last 4 digits are shown to you. Paystack-linked card details are similarly masked.
• Secure data storage: Sensitive data is stored securely with restricted access controls.
• JWT authentication: We use stateless, token-based authentication (JSON Web Tokens), which reduces the risk of session hijacking.
• Rate limiting: All API endpoints are rate-limited to prevent brute-force attacks and abuse.
• Regular monitoring: We conduct ongoing security monitoring to detect and respond to potential threats.

Organisational Measures

• Access to personal data is restricted to authorised personnel on a need-to-know basis.
• Third-party processors are contractually required to maintain equivalent security standards.
• We regularly review and update our security practices.

Encryption at Rest

Personal data stored in our databases is encrypted at rest using industry-standard encryption.

Breach Notification

In the event of a personal data breach, we will notify the Nigeria Data Protection Commission within 72 hours and notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

While we take extensive measures to protect your data, no method of electronic transmission or storage is 100% secure. If you become aware of any security breach or unauthorised use of your account, please contact us immediately at hello@subsecute.com.