Security

Your data is protected
by design, not as an afterthought.

Gigva has handled financial transaction data since 2012. Every security measure below is structural — built into how the platform works, not bolted on afterwards.

Data Protection

How we protect your data

Compliance

Kenya-hosted data

All customer transaction data is stored on servers physically located in Kenya. No financial or personal data leaves Kenya without your explicit written consent. Fully compliant with the Kenya Data Protection Act 2019.

Encryption

AES-256 encryption at rest

Sensitive data in the database — including transaction records, personal information, and financial reports — is encrypted at rest using AES-256. Even if the storage medium were compromised, the data remains unreadable.

Transport

TLS 1.3 in transit

Every request between your browser and Gigva servers is encrypted using TLS 1.3 — the latest and most secure transport protocol. Unencrypted HTTP connections are rejected outright.

Credentials

bcrypt password hashing

Your password is never stored in readable form. We store a bcrypt hash with cost factor 12. Even Gigva engineers cannot read your password. If our database were leaked, your credentials remain protected.

Application

Parameterised queries

Every database query throughout the application uses parameterised prepared statements. SQL injection is structurally prevented at the code level — not filtered or sanitised as an afterthought.

Audit

Access logging & audit trail

All account access events and data modification operations are logged with timestamps and IP addresses. Logs are retained for 12 months to support security audits and compliance requirements.

Access

Role-based access control

Access to customer data within Gigva is restricted by role. Engineers have no routine access to production data. All access to sensitive systems requires multi-factor authentication and is logged.

Legal

Data Protection Act compliance

Gigva operates fully within the Kenya Data Protection Act 2019. Our Privacy Policy describes exactly what data we collect, how it is used, and your rights as a data subject under Kenyan law.

Infrastructure & reliability

The Gigva platform is hosted on dedicated infrastructure in Kenya. We operate separate environments for development, staging, and production. No customer data is present in development or staging environments.

The Daraja API integration uses dedicated, credentialed connections per customer account. Your Safaricom M-Pesa Daraja credentials are stored encrypted and are never exposed in API responses, logs, or error messages.

The reconciliation engine processes incoming C2B webhook events with idempotency guarantees — duplicate webhook deliveries from Safaricom do not result in duplicate transaction records. All webhook endpoints validate the source and signature before processing.

99.9%

Uptime SLA

Platform availability

<5s

Webhook latency

Transaction capture time

12 mo

Data retention

Access log retention

Responsible disclosure

If you believe you have found a security vulnerability in Gigva, please contact our security team directly. We take every report seriously, investigate promptly, and aim to communicate resolution timelines within 48 hours of receiving a valid report.

Security contact

security@gigvakenya.co.ke

No public disclosure before fix

Acknowledge within 48 hrs

Fix timeline communicated

Questions about security?

Read our Privacy Policy for full details on data handling, or get in touch with our team.

Read Privacy Policy Contact us

Your data is protectedby design, not as an afterthought.