Security & trust
Defence in depth, with licensed custody and zero-trust internal controls.
Custody
Funds are held by licensed Nigerian banking and EMI partners. NaijaPay never touches client money directly; all flows are settled partner-to-partner under regulatory oversight.
Authentication
- OTP for sign-in and step-up on risk events
- Device binding with revocation from Settings
- Optional biometrics on mobile
Data protection
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- PII minimisation — KYC artifacts stored with partner KYC vendor
- NDPR-compliant data residency for Nigerian users
Operations
- Real-time risk engine with ALLOW / STEP_UP / HOLD outcomes
- Full audit log of admin actions
- Quarterly penetration testing and SOC2-aligned controls
Reporting issues
Found a vulnerability? Email security@naijapay.app — we acknowledge within 24 hours.