Trust Center

Security Architecture

SectID implements defense-in-depth across application, data, and operational layers for KYC, KYB, and AML workloads.

Encryption

  • AES-256-GCM encryption at rest for all PII and documents
  • TLS 1.3 for all data in transit
  • Envelope encryption for sensitive artifacts
  • Key rotation every 90 days

Infrastructure

  • Multi-region deployment with automatic failover
  • VPC isolation with private subnets
  • DDoS protection via Cloudflare and AWS Shield
  • Immutable infrastructure with infrastructure-as-code

Monitoring

  • 24/7 security operations center (SOC)
  • Real-time anomaly detection on API traffic
  • Automated threat intelligence feeds
  • quarterly penetration testing by certified firms

Access Control

  • Role-based access control (RBAC) with least privilege
  • Multi-factor authentication (MFA) enforced
  • Just-in-time (JIT) access for sensitive operations
  • Quarterly access reviews and recertification

Identity

  • API key hashing with pepper and rotation
  • Session cookies: HttpOnly, Secure, SameSite Strict
  • JWT tokens with short expiry and refresh rotation
  • SSO / SAML integration for enterprise customers

Compliance

  • Append-only audit logs with hash chaining
  • Signed webhooks with HMAC-SHA256
  • Tenant isolation with organization-scoped queries
  • Data retention policy enforcement engine

Data Residency

RegionNote
Kenya (primary)Default data residency for KE tenants
EUAvailable on enterprise plans
South AfricaRoadmap — af-south-1

Incident Response

Security incidents are triaged within 4 hours for enterprise customers. Our incident response process includes:

  • Immediate containment and eradication
  • Root cause analysis within 24 hours
  • Customer notification within 24 hours of confirmed breaches
  • Public disclosure for material incidents within 72 hours
  • Post-incident review and preventive measures

Contact security@sectid.com for coordinated response or to report a vulnerability.