Enterprise-Grade Security
Security Architecture
Multi-layered security approach protecting every aspect of our platform
App Check Protection
All public endpoints are protected by Google App Check, preventing automated attacks and ensuring requests come from legitimate sources.
Firebase Authentication
Secure user authentication with custom claims for role-based access control (RBAC), session management, and multi-factor authentication support.
Firestore Security Rules
Granular access control at the database level, ensuring users can only access data they're authorized to see based on their roles and permissions.
Data Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Payment data is handled by PCI-compliant providers (Stripe, Paystack).
Secret Management
All API keys, database credentials, and sensitive configuration are stored in Google Cloud Secret Manager with automatic rotation and access logging.
Rate Limiting
Cloud Armor and Redis-based rate limiting protect against abuse and DDoS attacks, with automatic blocking of suspicious activity.
Payment Security
PCI-compliant payment processing with multiple secure providers
Stripe Integration
- Signed webhook verification with Stripe signature
- Card data handled by PCI-compliant payment providers
- Idempotency keys for duplicate prevention
- 3D Secure authentication for high-risk transactions
Paystack Integration
- HMAC-SHA512 webhook signature verification
- Provider-managed payment handling and signature verification
- Constant-time comparison for signature validation
- Local payment methods for Nigerian market
Data Privacy & Retention
Comprehensive privacy controls and data protection measures
Tax Document Privacy
- Private GCS storage with V4 signed URLs
- 15-minute TTL for secure access
- 7-year retention for compliance
- Automatic lifecycle management
Session Security
- HttpOnly, Secure, SameSite cookies
- Server-side session verification
- Automatic session expiration
- CSRF protection
User Rights
- Data access and portability
- Right to deletion (with limitations)
- Notification preferences control
- Quiet hours and cooldown settings
Evidence Privacy
- Private until verification complete
- Public only when verified=true
- Secure upload with virus scanning
- Access logging and audit trail
Security Control Areas
Operational controls that are implemented in the platform today
Access Control
Custom-claims RBAC, scoped portals, and server-side authorization checks for operational actions
Payment Integrity
Signed Stripe and Paystack webhooks, idempotent processing, and payout-state tracking
Data Protection
Encryption in transit, private storage buckets, signed URLs, and managed secrets
Auditability
Evidence logs, payout traces, tax-document records, and notification history across core workflows
Operational Safeguards
Rate limiting, maintenance gates, signed internal calls, and disabled public debug surfaces
Retention & Access Windows
Document retention policies, signed-download expirations, and lifecycle-managed storage paths
Security Incident Response
Coordinated incident handling and private responsible disclosure
Our Response Process
Responsible Disclosure
Ebun does not currently operate a public bug bounty or paid vulnerability rewards program. If you identify a credible security issue, report it privately so our team can triage and remediate it responsibly.
Need to Report a Security Issue?
Use the technical support channel for vulnerability reports, suspicious activity, or questions about platform safeguards