Security at Rifraux
Protecting your financial data with top line security measures
End-to-End Encryption
TLS 1.3 for data in transit, AES-256 for data at rest
Multi-Factor Authentication
MFA required for all administrative access
24/7 Monitoring
Real-time threat detection and automated response
Compliance
PCI DSS, ISO 27001, SOC 2 Type II certified
Zero Trust Architecture
Verify every access request regardless of location
Regular Audits
Quarterly penetration testing and security reviews
Quick Navigation
Security Overview
At Rifraux, security is not an afterthought – it's built into every layer of our fraud detection platform. We understand that our clients trust us with sensitive financial data, and we take that responsibility seriously.
Our comprehensive security program encompasses physical security, network security, application security, and operational security. We employ defense-in-depth strategies to ensure that even if one layer is compromised, multiple additional layers of protection remain in place.
Our Security Commitment
We are committed to maintaining the highest standards of security and continuously improving our security posture to address emerging threats in the African fintech landscape.
Infrastructure Security
Cloud Infrastructure
Rifraux operates on enterprise-grade cloud infrastructure with multiple security layers:
- AWS/Azure Security: Leveraging cloud provider security best practices and services
- Virtual Private Cloud (VPC): Isolated network environments with strict access controls
- Private Subnets: Database and application servers in non-internet-accessible subnets
- Web Application Firewall (WAF): Protection against common web exploits and DDoS attacks
- Load Balancers: Automatic traffic distribution with SSL/TLS termination
Network Security
Firewall Rules
Strict inbound/outbound traffic rules with least-privilege access
Network Segmentation
Isolated environments for production, staging, and development
DDoS Protection
Automated mitigation of distributed denial-of-service attacks
Intrusion Detection
Real-time monitoring for suspicious network activity
Physical Security
Our infrastructure is hosted in Tier III+ data centers with 24/7 security personnel, biometric access controls, video surveillance, and environmental controls to protect against physical threats.
Data Encryption
Encryption in Transit
TLS 1.3 Encryption
All data transmitted between your systems and Rifraux is encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol.
- Perfect Forward Secrecy (PFS) to protect past sessions
- Strong cipher suites (AES-256-GCM, ChaCha20-Poly1305)
- HTTP Strict Transport Security (HSTS) enforcement
- Certificate pinning for API connections
Encryption at Rest
All data stored in our systems is encrypted using AES-256 encryption:
- Database Encryption: Full database encryption with rotating keys
- File Storage: Server-side encryption for all stored files
- Backup Encryption: Encrypted backups with separate encryption keys
- Key Management: Hardware Security Modules (HSMs) for cryptographic key storage
Key Management
We use AWS Key Management Service (KMS) and Azure Key Vault for secure key generation, storage, and rotation. Encryption keys are automatically rotated every 90 days, and old keys are securely archived for data recovery purposes.
Access Control
Authentication
🔐 Multi-Factor Authentication
MFA required for all administrative and developer accounts using TOTP or hardware tokens
🔑 API Key Management
Secure API key generation with scoped permissions and expiration dates
🚫 IP Whitelisting
Optional IP restrictions for API access to trusted networks only
⏰ Session Management
Automatic session timeout after 30 minutes of inactivity
Authorization
We implement Role-Based Access Control (RBAC) with the principle of least privilege:
- Fine-grained permissions for different user roles (Admin, Developer, Viewer)
- Separation of duties for critical operations
- Regular access reviews and permission audits
- Automatic deprovisioning of inactive accounts after 90 days
Employee Access
Rifraux employees have limited access to production systems. All access is logged, monitored, and requires approval through our ticketing system. Customer data access is restricted to authorized support personnel only when troubleshooting specific issues with documented consent.
Monitoring & Threat Detection
Security Monitoring
Our Security Operations Center (SOC) provides 24/7/365 monitoring:
SIEM (Security Information and Event Management)
Centralized logging and correlation of security events across all systems
Automated Threat Detection
Machine learning algorithms to identify anomalous behavior and potential threats
Real-Time Alerts
Immediate notification of security incidents to on-call engineers
Audit Logging
Comprehensive logs of all API calls, authentication attempts, and data access
Threat Intelligence
We subscribe to multiple threat intelligence feeds and participate in information sharing with African cybersecurity communities to stay ahead of emerging threats specific to the region.
Compliance & Certifications
Rifraux maintains compliance with international and regional security standards:
PCI DSS Level 1
Payment Card Industry Data Security Standard compliance for handling card transactions
Certified 2024ISO 27001:2022
International standard for information security management systems
Certified 2024SOC 2 Type II
Service Organization Control audit for security, availability, and confidentiality
Audited 2024NDPR Compliance
Nigeria Data Protection Regulation for handling personal data
Compliant 2024Regular Audits
- Annual third-party security audits
- Quarterly penetration testing by certified ethical hackers
- Monthly vulnerability assessments
- Continuous compliance monitoring
Incident Response
Incident Response Plan
We maintain a comprehensive incident response plan that includes:
Detection & Analysis
Rapid identification and assessment of security incidents
Containment
Immediate action to limit the impact and prevent further damage
Eradication & Recovery
Removal of threats and restoration of normal operations
Post-Incident Review
Lessons learned and implementation of preventive measures
Communication
In the event of a security incident that affects customer data, we commit to:
- Notify affected customers within 72 hours of discovery
- Provide regular updates throughout the incident resolution process
- Maintain transparency about the nature and scope of the incident
- Coordinate with regulatory authorities as required by law
Vulnerability Management
Continuous Scanning
We employ automated vulnerability scanning tools that continuously monitor our infrastructure for known vulnerabilities and misconfigurations.
Patch Management
- ✅ Critical patches: Applied within 24 hours
- ✅ High severity patches: Applied within 7 days
- ✅ Medium severity patches: Applied within 30 days
- ✅ Low severity patches: Applied during regular maintenance windows
Bug Bounty Program
Responsible Disclosure
We welcome security researchers to report vulnerabilities through our bug bounty program. Rewards range from $100 to $10,000 depending on severity.
Report a vulnerability →Disaster Recovery & Business Continuity
Backup Strategy
Our backup strategy ensures data durability and availability:
- Real-time replication: Synchronous replication to secondary datacenter
- Automated backups: Full backups every 24 hours, incremental backups every 6 hours
- Geographic redundancy: Backups stored in multiple regions across Africa
- Retention policy: Daily backups for 30 days, monthly backups for 1 year
- Backup testing: Monthly restoration drills to verify backup integrity
High Availability
99.99%
Uptime SLA
<4hrs
Recovery Time Objective
<1hr
Recovery Point Objective
Disaster Recovery Plan
Our disaster recovery plan is tested quarterly and includes failover procedures, communication protocols, and restoration procedures to ensure business continuity in the event of a major incident.
Security Reporting
Report a Security Issue
If you discover a security vulnerability or have concerns about our security practices, please contact us immediately:
Security Team Email: security@rifraux.com
PGP Key: Available upon request for encrypted communications
Response Time: We acknowledge security reports within 24 hours
What to Include
When reporting a security issue, please include:
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any proof-of-concept code (if applicable)
- Your contact information for follow-up
Security Documentation
Additional security documentation available upon request:
Security Best Practices for Clients
Help us keep your data secure by following these recommendations:
✓ Use Strong Passwords
Minimum 12 characters with mixed case, numbers, and symbols
✓ Enable MFA
Always enable multi-factor authentication on your account
✓ Rotate API Keys
Rotate API keys every 90 days or after employee departures
✓ Monitor Access Logs
Regularly review API access logs for unusual activity
✓ Restrict IP Access
Use IP whitelisting to limit API access to trusted networks
✓ Report Incidents
Immediately report any suspicious activity or security concerns
Questions About Security?
Our security team is here to help. Contact us for security inquiries, penetration testing coordination, or to request additional documentation.