Trust Center
Security Architecture
SectID implements defense-in-depth across application, data, and operational layers for KYC, KYB, and AML workloads.
Encryption
- AES-256-GCM encryption at rest for all PII and documents
- TLS 1.3 for all data in transit
- Envelope encryption for sensitive artifacts
- Key rotation every 90 days
Infrastructure
- Multi-region deployment with automatic failover
- VPC isolation with private subnets
- DDoS protection via Cloudflare and AWS Shield
- Immutable infrastructure with infrastructure-as-code
Monitoring
- 24/7 security operations center (SOC)
- Real-time anomaly detection on API traffic
- Automated threat intelligence feeds
- quarterly penetration testing by certified firms
Access Control
- Role-based access control (RBAC) with least privilege
- Multi-factor authentication (MFA) enforced
- Just-in-time (JIT) access for sensitive operations
- Quarterly access reviews and recertification
Identity
- API key hashing with pepper and rotation
- Session cookies: HttpOnly, Secure, SameSite Strict
- JWT tokens with short expiry and refresh rotation
- SSO / SAML integration for enterprise customers
Compliance
- Append-only audit logs with hash chaining
- Signed webhooks with HMAC-SHA256
- Tenant isolation with organization-scoped queries
- Data retention policy enforcement engine
Data Residency
| Region | Note |
|---|---|
| Kenya (primary) | Default data residency for KE tenants |
| EU | Available on enterprise plans |
| South Africa | Roadmap — af-south-1 |
Incident Response
Security incidents are triaged within 4 hours for enterprise customers. Our incident response process includes:
- Immediate containment and eradication
- Root cause analysis within 24 hours
- Customer notification within 24 hours of confirmed breaches
- Public disclosure for material incidents within 72 hours
- Post-incident review and preventive measures
Contact security@sectid.com for coordinated response or to report a vulnerability.