Security Center

Your Money.
Protected at Every
Layer.

From the moment you create an account to every cedis moved, SnappX applies enterprise-grade security practices designed for the realities of Ghanaian fintech.

AES-256 Encryption
Immutable Ledger
Rate Limited APIs
Single-Use OTPs
Private KYC Storage
Core Protections
Four pillars of security
AES-256
Encryption Standard
End-to-End Encryption

Your Mobile Money number is encrypted with AES-256 before it ever touches our database. We also store a salted one-way hash for identity matching, meaning the plaintext can never be recovered.

0
Plaintext MoMo exposure
Zero-Knowledge Architecture

SnappX engineers cannot read your MoMo number. Our field-level encryption is designed so that even a complete database dump reveals no actionable financial identifiers.

100%
Immutable records
Immutable Ledger

Every financial transaction is recorded in an append-only ledger. Entries cannot be updated, deleted, or modified, not even by admins. This creates a tamper-proof audit trail for every cedis moved on the platform.

BoG
Licensed Partner
Paystack-Grade Payments

All money movement is processed through Paystack, which is licensed by the Bank of Ghana under the Payment Systems and Services Act. We never handle raw card or MoMo credentials in our servers.

Authentication
Six layers of access control
⏱️
JWT Access Tokens
5-minute expiry. Short-lived tokens limit the window of any stolen credential.
🔄
Refresh Tokens
30-day validity with rotation, invalidated on every new login.
📲
SMS OTP Verification
6-digit numeric OTPs expire in 10 minutes and are single-use, invalidated immediately after verification.
🚫
Brute Force Protection
Accounts are automatically locked after 5 failed login attempts with a 30-minute cooling period.
Rate Limiting
Every sensitive endpoint (login, OTP send, contributions, cashouts) is rate-limited per IP and per user.
🔑
Idempotency Keys
Every write request requires a unique X-Idempotency-Key header, preventing duplicate financial operations.
Infrastructure
Built on rock-solid foundations
Database & Storage
  • Neon PostgreSQL with AES-256 encryption at rest
  • TLS 1.3 for all data in transit
  • Database-level CHECK constraints prevent negative wallet balances
  • Unique constraints on ledger references prevent duplicate transactions
  • Automated daily backups with point-in-time recovery
API & Application Layer
  • HTTPS-only — all HTTP requests are rejected
  • CORS restricted to approved SnappX frontend origins only
  • CSRF protection on all state-changing endpoints
  • SQL injection prevention via parameterized ORM queries
  • Custom request ID tracking for complete audit trails on every request
KYC & Identity
Your documents stay private
Ghana Card & Selfie Protection
KYC documents required for group admin verification, handled with utmost care
Payments
Money moves through licensed rails
Paystack Integration
  • Paystack is licensed by the Bank of Ghana under the Payment Systems and Services Act (2019)
  • We use Paystack's Transfer Recipient API. Your MoMo number is registered once, securely, and reused thereafter
  • Paystack webhook signatures are verified with HMAC-SHA512 on every event before processing
  • All payout references follow strict Paystack format rules (a-z, 0-9, hyphens only) to prevent transfer rejections
  • Stale pending transfers are automatically checked and synced hourly
  • Failed payouts are retried automatically with a fresh reference. Funds are never silently lost
Fraud & Anomaly Detection
  • Automated daily reconciliation compares our immutable ledger against wallet balances. Any drift triggers an immediate admin alert
  • Amount mismatch detection on Paystack webhooks: if payment amount differs from expected, the wallet is NOT credited and admins are notified
  • IP-based rate limiting on all auth and payment endpoints
  • Transaction anomalies trigger structured alerts to our engineering team via email
  • All financial operations are actor-attributed. Every ledger entry records who initiated the action
🛡️

Found a Security Issue?

We take security reports seriously and respond within 24 hours. Responsible disclosure is rewarded with acknowledgment in our security hall of fame and, for critical issues, a cash reward.

hello@snappx.app 0541413623

Please do not publicly disclose vulnerabilities before we have had a chance to address them.