Security Practices

The security of your funds and data is our highest priority. Here's how we protect your account and assets.

Data Encryption

All data transmitted between your device and our servers is encrypted using TLS/HTTPS (256-bit encryption). Your password is hashed using bcrypt with a unique salt — we never store plain-text passwords. Sensitive credentials like 2FA secrets are encrypted at rest in our database.

Two-Factor Authentication (2FA)

We strongly recommend enabling 2FA on your account. This adds a second layer of security: even if someone obtains your password, they cannot access your account without the 6-digit code from your authenticator app (Google Authenticator, Authy).

Ledger Security

We use a double-entry accounting ledger with row-level database locking. Every balance change is recorded as an immutable entry with an idempotency key — preventing duplicate credits, race conditions, and balance manipulation. Our system has been tested with 15/15 precision tests passing.

Webhook Verification

All payment callbacks from OxaPay (crypto) and PawaPay (mobile money) are cryptographically verified using HMAC-SHA512 signatures before processing. Invalid or tampered callbacks are rejected and logged.

Exact-Decimal Math

We use BCMath arbitrary-precision arithmetic (scale 18) for all financial calculations — no floating-point numbers. This eliminates rounding errors that could cause balance discrepancies.

Audit Logging

Every administrative action (balance adjustments, user status changes, manual credits) is recorded in an immutable audit log with the admin's identity, IP address, timestamp, and reason.

What You Can Do

Enable 2FA in Settings. Use a strong, unique password. Never share your login credentials or 2FA codes. Verify wallet addresses carefully before withdrawing. Monitor your transaction history regularly. Report suspicious activity to support immediately.