Trust & Security
Security at every layer.
QIFTS is infrastructure that companies rely on to issue rewards at scale. Security isn't an afterthought — it's built into every layer of the platform, from the API to the underlying data stores.
Infrastructure security
The QIFTS platform runs on enterprise-grade cloud infrastructure with multi-region redundancy across Africa. All infrastructure components are managed with least-privilege access controls, regular patching, and continuous monitoring. Production environments are fully isolated from staging and development.
Data encryption
All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256. API credentials, keys, and sensitive configuration are stored using industry-standard secrets management, never in source code or plain configuration files.
Access control
Platform access is governed by role-based access controls. Multi-factor authentication is required for all platform dashboard access. API access is scoped by key, with granular permission sets. We maintain detailed access logs and conduct regular access reviews.
API security
All API endpoints are authenticated. Requests are validated, rate-limited, and logged. Webhook payloads are signed so customers can verify authenticity. We follow OWASP API security best practices across all endpoints.
Vulnerability management
We conduct regular security assessments of our platform, including penetration testing by independent third parties. Critical vulnerabilities are remediated on a priority basis. We maintain a formal vulnerability disclosure process.
Operational security
Our team follows security-first engineering practices: code reviews, dependency scanning, automated security testing in CI/CD, and strict change management for production deployments. Access to production systems is restricted and audited.
Incident response
We maintain a documented incident response plan. In the event of a security incident affecting customer data, we will notify affected customers in accordance with our platform agreements and applicable legal requirements. We aim to notify within 72 hours of becoming aware of a material incident.
Compliance
QIFTS operates across multiple African regulatory environments. We maintain compliance with applicable data protection laws in the markets we serve, and work with customers to meet sector-specific requirements including financial services and healthcare regulations where relevant.
Responsible disclosure
If you discover a potential security vulnerability in the QIFTS platform, we want to hear from you. Please do not publicly disclose the issue before giving us the opportunity to investigate and remediate it.
Contact us at security@qifts.com with a description of the issue, the steps to reproduce it, and your contact details. We will acknowledge receipt within 2 business days and keep you informed as we investigate.
Questions about security? Talk to the team or email security@qifts.com