Security & reliability
Security that operators can trust.
Your customer data, payment events, and message history sit on infrastructure built for the financial-services standard.
01How your data is protected
Built to the financial-services standard.
POPIA-compliant, encrypted end to end, and hosted in South Africa — the same infrastructure our own dashboard runs on.
Supabase, Postgres, and Vercel in the South Africa region — your data stays in the country.
TLS 1.3 in transit; pgcrypto AES-GCM at rest for credentials and banking details.
Supabase Auth with role-based access — Operator and Main Admin, with per-section permissions.
Row-level security on all 40+ public tables, so a tenant only ever sees its own data.
HMAC-SHA256 signature verification with constant-time compare on every inbound event.
Every webhook write goes through an idempotency key — no double-charges, ever.
Every admin action and edge-function call is logged for a full, reviewable trail.
Hourly snapshots with 30-day retention, so nothing is ever a keystroke away from gone.
Compliance
POPIA-built. Not POPIA-patched.
You own your data and can export it any time. Data-deletion requests are handled with a mandatory cooling-off period and full audit retention.
Hosted in South Africa · encrypted at rest · you own your data, always