Built for Central Bank licensing with bank-grade encryption, compliance infrastructure, and 24/7 monitoring. Your money and data are protected by multiple layers of security.
Every transaction is protected by enterprise-grade security measures
All data is encrypted in transit and at rest using AES-256 encryption. Your information is never stored in plain text.
Face ID, fingerprint, and PIN protection. Multi-factor authentication for all sensitive operations.
Real-time fraud detection powered by AI. Suspicious activity is flagged and blocked automatically.
Hardware security modules (HSM) protect cryptographic keys. No single person has access to funds.
Your account is tied to your device. New device logins require verification via SMS, email, or biometrics.
Every action is logged with timestamps, IP addresses, and device info for complete accountability.
Built to meet the highest regulatory standards for payment service providers
Full Know Your Customer (KYC) and Anti-Money Laundering (AML) checks for all users. ID verification, selfie capture, address proof, and ongoing transaction monitoring.
Know Your Business (KYB) verification for all merchants. Business registration documents, beneficial ownership disclosure, and risk assessment.
Double-entry accounting for all transactions. Real-time balance reconciliation and immutable transaction records for audit purposes.
Dedicated dashboard for central banks and regulators. Real-time transaction monitoring, suspicious activity reports, and policy enforcement tools.
Certified and audited by leading security and compliance organizations
Payment Card Industry Data Security Standard compliance for card processing
Information security management system certification
Full compliance with EU data protection regulations
Licensed Payment Service Provider in 6 African countries
| What | Standard | Implementation |
|---|---|---|
| Data at rest | AES-256 | AWS RDS encryption, enabled at creation |
| S3 documents | AES-256-GCM | Customer-managed KMS CMK, per-document key |
| PII fields | AES-256-GCM | Column-level encryption on ID numbers, names |
| Passwords | Argon2id | 64MB memory, 3 iterations, 4 parallelism threads |
| MFA secrets | AES-256-GCM | Application-layer encryption before storage |
| Card data | Tokenized | Raw PAN never stored — PCI DSS SAQ A scope |
| Data in transit | TLS 1.3 | TLS 1.0/1.1 disabled at load balancer |
| JWT signing | RS256 | RSA-2048 asymmetric, public key at /.well-known/jwks |
| Key rotation | Automatic | AWS KMS — every 90 days, zero-downtime drain |
AuraTap implements a three-tier access control model. No service has more access than it needs. No human has permanent elevated access. Every action is logged, timestamped, and immutable.
AuraTap operates at PCI DSS SAQ A scope — the most restrictive compliance posture. Raw card numbers (PAN), CVV, and track data never enter AuraTap infrastructure. All card data tokenized at point of entry by our PCI-certified payment gateway partner. SoftPOS NFC uses EMV cryptograms — card data encrypted in hardware before transmission. Card processing occurs on an isolated network segment with separate VPC subnet and security group rules.
Information Security Management System certification covering: risk assessment framework, security policies, asset management, access control, cryptography, physical security, incident management, and business continuity. Annual external audit required.
Full EU data protection compliance. Data minimization principle applied to all collection. Lawful basis documented for all processing activities. Right to erasure: soft delete with 90-day purge on PII. Right to portability: full data export available in JSON format. Data Processing Agreements in place with all sub-processors. DPA available on request to info@auratap.com.
PSP licence applications filed and active in:
Regulatory capital requirements maintained. Quarterly reporting submitted to each regulator. Safeguarding accounts verified monthly.
We believe in data privacy and transparency. You have full control over your personal information and can request data export or deletion at any time.
We don't hide incidents. We contain them.
Our incident response runbooks are maintained in version control. Every engineer practices them quarterly. No improvisation in a crisis.
Our security team monitors the platform 24/7. In the unlikely event of a security incident, we have protocols in place to respond within minutes, contain the threat, and notify affected users immediately.
Incident detection time
Response activation
User notification rate
Our security team is available to answer your questions and provide detailed documentation