PCI DSS
CBK (Kenya)
ISO 27001
SOC 2
99.9% Uptime
Encryption by default
All data in transit is encrypted with TLS 1.3+. All sensitive data at rest is encrypted with AES-256 and envelope keys.
Hardened infrastructure
Isolated VPCs, multi-AZ redundancy, least-privilege IAM, and continuous patching keep the platform resilient.
24/7 monitoring
SIEM + anomaly detection, real-time alerting, and on-call coverage ensure rapid incident response.
Compliance & certifications
- • PCI DSS compliant card processing
- • Central Bank of Kenya (CBK) regulated partner
- • Data processing aligned with GDPR principles
- • Annual pen-tests and external audits
Access control
- • SSO + MFA for all internal tools
- • Role-based access (RBAC) and just-in-time elevation
- • Hardware-backed keys for production access
Fraud & risk
- • Velocity checks and device fingerprinting
- • ML-assisted transaction scoring
- • Dispute workflows and chargeback management
Data residency & backup
- • Regional hosting with multi-AZ redundancy
- • Encrypted backups with periodic restore tests
- • Customer-data segregation and tokenisation
Incident response
- • Documented runbooks and post-mortems
- • Breach notification procedures
- • 24/7 on-call rotation and SLAs
Responsible disclosure
We welcome security researchers to responsibly disclose vulnerabilities. Submit details to security@fingopay.io.
If you need encryption, ask for our PGP key.