Enterprise-Grade Security

Your data and donations are protected by industry-leading security measures, compliance standards, and privacy controls.

SOC 2

Type II Compliant

PCI DSS

Level 1 Certified

GDPR

Compliant

Security Architecture

Multi-layered security approach protecting every aspect of our platform

App Check Protection

All public endpoints are protected by Google App Check, preventing automated attacks and ensuring requests come from legitimate sources.

Firebase Authentication

Secure user authentication with custom claims for role-based access control (RBAC), session management, and multi-factor authentication support.

Firestore Security Rules

Granular access control at the database level, ensuring users can only access data they're authorized to see based on their roles and permissions.

Data Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Payment data is handled by PCI-compliant providers (Stripe, Paystack).

Secret Management

All API keys, database credentials, and sensitive configuration are stored in Google Cloud Secret Manager with automatic rotation and access logging.

Rate Limiting

Cloud Armor and Redis-based rate limiting protect against abuse and DDoS attacks, with automatic blocking of suspicious activity.

Payment Security

PCI-compliant payment processing with multiple secure providers

Stripe Integration

Signed webhook verification with Stripe signature
PCI DSS Level 1 compliance
Idempotency keys for duplicate prevention
3D Secure authentication for high-risk transactions

Paystack Integration

HMAC-SHA512 webhook signature verification
PCI DSS compliant payment processing
Constant-time comparison for signature validation
Local payment methods for Nigerian market

Data Privacy & Retention

Comprehensive privacy controls and data protection measures

Tax Document Privacy

Private GCS storage with V4 signed URLs
15-minute TTL for secure access
7-year retention for compliance
Automatic lifecycle management

Session Security

HttpOnly, Secure, SameSite cookies
Server-side session verification
Automatic session expiration
CSRF protection

User Rights

Data access and portability
Right to deletion (with limitations)
Notification preferences control
Quiet hours and cooldown settings

Evidence Privacy

Private until verification complete
Public only when verified=true
Secure upload with virus scanning
Access logging and audit trail

Compliance Standards

Industry-leading compliance certifications and standards

SOC 2 Type II

Security, availability, and confidentiality controls audited annually

PCI DSS Level 1

Highest level of payment card industry security standards

GDPR Compliant

European data protection regulations fully implemented

WCAG 2.1 AA

Web accessibility guidelines for inclusive design

ISO 27001

Information security management system standards

HIPAA Ready

Healthcare data protection capabilities

Security Incident Response

Comprehensive incident response and bug bounty programs

Our Response Process

Detection

Automated monitoring and alerting

Assessment

Impact analysis and containment

Notification

Affected users informed within 24h

Recovery

System restoration and monitoring

Bug Bounty Program

We encourage responsible disclosure of security vulnerabilities through our bug bounty program.

Responsible disclosure process

Recognition and rewards

security@ebun.com

Questions About Security?

Contact our security team for detailed information about our security measures

Contact Security Team Read Privacy Policy