Your Data Security is Our Top Priority
We employ industry-leading security practices to ensure your identity data is protected at every step of the verification process.
Security Architecture
Our multi-layered security approach ensures comprehensive protection:
Data Encryption
AES-256 encryption at rest, TLS 1.3 in transit. All sensitive data is encrypted before storage.
Network Security
Web Application Firewall, DDoS protection, intrusion detection, and network segmentation.
Access Control
Role-based access, multi-factor authentication, and principle of least privilege.
Monitoring & Logging
24/7 security monitoring, comprehensive audit logs, and real-time alerting.
Backup & Recovery
Automated encrypted backups, disaster recovery procedures, and 99.9% uptime SLA.
Employee Security
Background checks, security training, and strict access policies for all team members.
Infrastructure Security
Cloud Infrastructure
- Hosted on AWS with African data centers
- Auto-scaling and load balancing
- Geographic redundancy
- VPC isolation and security groups
Application Security
- Secure SDLC practices
- Regular code reviews
- Automated vulnerability scanning
- Dependency security monitoring
API Security
- API key authentication
- Rate limiting and throttling
- Request signing and validation
- IP whitelisting options
Data Protection
- Data minimization practices
- Automatic data retention policies
- Secure data deletion
- Pseudonymization where possible
Compliance & Certifications
We maintain compliance with industry standards and regulations:
SOC 2 Type II
GDPR
POPIA
ISO 27001
PCI DSS
AML/KYC Laws
NIST Framework
RBZ Regulations
12 Layers of Fraud Protection
Our AI-powered fraud detection system includes:
Rate Limiting
Prevents automated attacks and brute force attempts.
Duplicate Face Detection
Identifies if the same face is used across multiple accounts.
Duplicate Document Detection
Detects reused or shared identity documents.
Name Cross-Validation
Matches extracted names against user-provided information.
Age Estimation
Verifies age from selfie matches document DOB.
Document Expiry Check
Automatically rejects expired identity documents.
IP & Geo Analysis
Detects suspicious locations and VPN usage.
Device Fingerprinting
Identifies device patterns and repeat offenders.
Velocity Checks
Monitors for unusual verification patterns.
Image Tampering Detection
Identifies photoshopped or manipulated documents.
MRZ Validation
Validates machine-readable zone on passports.
Blacklist Screening
Checks against known fraudster databases.
Penetration Testing
We conduct regular security assessments:
- Annual third-party penetration testing
- Continuous automated vulnerability scanning
- Bug bounty program for responsible disclosure
- Red team exercises
Report a Security Vulnerability
We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us:
security@openkyc.africa
We commit to respond within 24 hours and will work with you to address the issue promptly.
Incident Response
Our incident response process ensures rapid action:
1. Detection
24/7 monitoring with automated alerting systems to detect potential security events.
2. Assessment
Security team evaluates severity and scope within 15 minutes of detection.
3. Containment
Immediate steps to contain the incident and prevent further damage.
4. Communication
Timely notification to affected parties as required by regulations.
Security Best Practices for Clients
We recommend the following security practices when integrating with OpenKYC:
- Protect your API keys: Never expose API keys in client-side code
- Use webhooks securely: Verify webhook signatures to prevent spoofing
- Implement IP whitelisting: Restrict API access to known IP addresses
- Enable MFA: Use multi-factor authentication for admin access
- Rotate credentials: Regularly rotate API keys and secrets
- Monitor usage: Set up alerts for unusual API activity
Security Questions?
Our security team is here to address any concerns about our security practices.