Security Policy

At RizPay, security is fundamental to everything we do. As a fintech platform handling financial transactions, we are committed to protecting our users' data and funds. This policy outlines our security practices and how to report vulnerabilities.

1. Our Security Practices

1. Encryption:

   • All data is encrypted in transit using TLS 1.2+
   • Sensitive data is encrypted at rest using AES-256
   • Passwords are hashed using industry-standard algorithms

2. Infrastructure Security:

   • Monitoring for suspicious activity and anomalies
   • Secure cloud infrastructure with automated backups
   • Regular security reviews and updates

3. Access Control:

   • Role-based access control for all systems
   • Multi-factor authentication for sensitive operations
   • Principle of least privilege enforced

4. Compliance:

   • Payment processing through PCI DSS compliant providers
   • Adherence to Nigerian data protection regulations (NDPR)

2. Reporting a Vulnerability

If you discover a security vulnerability, we encourage you to report it responsibly. We appreciate your help in keeping RizPay secure.

How to Report:

• Email: [email protected]
• Subject Line: Include "Security Vulnerability" in the subject

What to Include:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Your contact information (optional, but helpful for follow-up)

3. Our Commitment to Researchers

1. Safe Harbor:

   • We will not pursue legal action against researchers who report vulnerabilities in good faith
   • We will not penalize accounts used for security testing (within reasonable limits)

2. Response Timeline:

   • Initial acknowledgment within 72 hours
   • Assessment and triage within 14 days
   • Regular updates on remediation progress

3. Recognition:

   • We acknowledge security researchers who help us improve (with permission)
   • We may offer recognition for significant vulnerability discoveries

4. Responsible Disclosure Guidelines

When testing and reporting, please:

1. Do:

   • Test only against your own accounts
   • Stop testing once you've confirmed a vulnerability
   • Give us reasonable time to fix issues before disclosure
   • Report vulnerabilities promptly

2. Do Not:

   • Access or modify other users' data
   • Perform denial-of-service attacks
   • Use automated scanning tools excessively
   • Publicly disclose vulnerabilities before we've addressed them

5. Out of Scope

The following are generally not considered vulnerabilities:

• Reports from automated vulnerability scanners without proof of exploitability
• Missing security headers that don't lead to direct exploitation
• Social engineering attacks (phishing, vishing)
• Physical attacks against our offices or data centers
• Issues in third-party services we don't control

6. Security Updates

We continuously improve our security posture. Major security updates are communicated through:

• In-app notifications for critical security matters
• Email notifications for account security issues
• Our blog for general security announcements

7. Contact Us

• Security Team: [email protected]
• General Support: [email protected]
• Security.txt: /.well-known/security.txt