Security & Compliance
Keshless implements comprehensive cybersecurity and data protection measures designed to meet the regulatory requirements of the Central Bank of Eswatini and international financial services standards.
Regulatory Framework
Our security architecture is built to comply with:
- POPIA (Protection of Personal Information Act) - South African data protection law applicable to cross-border transactions
- FATF Recommendations - International AML/CFT standards
- Eswatini Financial Services Act - Local regulatory requirements
- PCI DSS - Payment Card Industry Data Security Standards (principles)
Security Documentation
| Document | ID | Purpose |
|---|---|---|
| Information Security Policy | ISP-001 | Cybersecurity policy, access controls, cryptographic standards |
| Data Privacy Policy | DPP-001 | Data protection, PII handling, retention, subject rights |
| Incident Response Plan | IRP-001 | Security incident handling, emergency controls, escalation |
| Disaster Recovery Plan | BCP-DRP-001 | Business continuity, backup systems, recovery procedures |
| Access Control & Permissions | ACP-001 | Complete RBAC breakdown, auth mechanisms, permission matrices, data scoping |
Security Architecture Overview
┌─────────────────────────────────────────────────────────────────┐
│ CLIENT LAYER │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ User App │ │ Vendor App │ │ Dashboard │ │
│ │ (Flutter) │ │ (Flutter) │ │ (React) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
TLS 1.3 (HTTPS)
│
┌─────────────────────────────────────────────────────────────────┐
│ API GATEWAY │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Cloud Run │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────────────────┐ │ │
│ │ │ Rate │ │ Auth │ │ Emergency Control │ │ │
│ │ │ Limiter │ │ Middleware│ │ Middleware │ │ │
│ │ └──────────┘ └──────────┘ └──────────────────────┘ │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────────────────────────┐
│ APPLICATION LAYER │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌──────────┐ │
│ │ Auth │ │ KYC/AML │ │ Transaction│ │ Audit │ │
│ │ Service │ │ Service │ │ Service │ │ Service │ │
│ │ (JWT+OTP) │ │ (Screening)│ │ (Ledger) │ │ (SHA-256)│ │
│ └────────────┘ └────────────┘ └────────────┘ └──────────┘ │
└─────────────────────────────────────────────────────────────────┘
│
┌─────────────────────────────────────────────────────────────────┐
│ DATA LAYER │
│ ┌────────────────────┐ ┌────────────────────────────────────┐│
│ │ PostgreSQL │ │ GCP Cloud Storage ││
│ │ (Cloud SQL) │ │ (Document Storage) ││
│ │ - Encrypted │ │ - KYC Images (signed URLs) ││
│ │ - Daily Backups │ │ - Selfies ││
│ │ - europe-west1 │ │ - Private buckets ││
│ └────────────────────┘ └────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────────┘Key Security Features
Authentication & Access Control
| Feature | Implementation |
|---|---|
| Password Hashing | bcrypt with 12 salt rounds |
| Access Tokens | JWT (7-day expiry) |
| Refresh Tokens | JWT (30-day expiry) |
| OTP Verification | 6-digit, 5-minute expiry, 3 attempts max |
| Role-Based Access | USER, ADMIN, SUPER_ADMIN |
| API Keys | SHA-256 hashed, IP whitelisting |
Cryptographic Controls
| Purpose | Algorithm | Key Size |
|---|---|---|
| Password Storage | bcrypt | 12 rounds |
| Secrets Backup | AES-256-GCM | 256-bit |
| Audit Log Integrity | SHA-256 | 256-bit |
| Data in Transit | TLS 1.3 | 256-bit |
AML/CFT Controls
- UN Sanctions Screening - Real-time screening against UN Security Council consolidated list
- PEP Database - Politically Exposed Persons matching
- Risk Scoring - 0-100 score with automatic rating (LOW to CRITICAL)
- Transaction Monitoring - Real-time suspicious activity detection
- Alert System - 4 severity levels (LOW, MEDIUM, HIGH, CRITICAL)
- SAR Workflow - DRAFT → SUBMITTED → APPROVED workflow for regulatory reporting
Emergency Controls (Kill Switches)
8 emergency controls for rapid incident response:
| Control | Severity | Impact |
|---|---|---|
| SYSTEM_SHUTDOWN | Critical | All API requests blocked |
| DISABLE_ALL_TRANSACTIONS | Critical | No financial operations |
| READ_ONLY_MODE | High | No write operations |
| DISABLE_WITHDRAWALS | High | Fraud protection |
| DISABLE_P2P_TRANSFERS | Medium | Block user transfers |
| DISABLE_BILL_PAYMENTS | Medium | Block bill payments |
| DISABLE_TOPUPS | Medium | Block deposits |
| RATE_LIMIT_EXTREME | Medium | DDoS protection |
Backup & Recovery
| Backup Type | Schedule | Retention |
|---|---|---|
| PostgreSQL Daily | 2:00 AM UTC | 2 years |
| PostgreSQL Monthly | 1st of month | 5 years |
| Backup Cleanup | Mondays 5:00 AM | Weekly |
| Secrets Backup | Sundays 4:00 AM | 2 years |
Recovery Time Objectives:
- Critical systems: 2 hours
- Non-critical systems: 24 hours
Compliance Dashboard
For regulatory demonstrations, the admin dashboard includes a Compliance Demo page (/compliance-demo) that provides interactive demonstrations of:
- Incident Response - Emergency control activation/deactivation
- AML Screening - Sanctions and PEP checking
- Backup & Recovery - Backup status and verification
- Access Control - Authentication and authorization flows
- Data Privacy - Encryption and deletion workflows
Document Version Control
| Document | Version | Last Updated | Next Review |
|---|---|---|---|
| Information Security Policy | 1.0 | January 2026 | July 2026 |
| Data Privacy Policy | 1.0 | January 2026 | July 2026 |
| Incident Response Plan | 1.0 | January 2026 | July 2026 |
| Disaster Recovery Plan | 1.0 | January 2026 | July 2026 |
| Access Control & Permissions | 1.0 | March 2026 | September 2026 |
Contact
Security Officer: compliance@keshless.app Incident Reporting: security@keshless.app Data Protection Inquiries: privacy@keshless.app