Your data is protected at every layer

SPS handles personal data and financial portfolios. We take that responsibility seriously. Here is exactly how we keep your information safe — in plain English.

Data Encryption

All sensitive information — passwords, payment references, and API tokens — is encrypted using AES-256 before it is written to the database. Even if the database were ever compromised, the data would be unreadable without the encryption keys.

Password Hashing

Passwords are never stored in plain text. We use bcrypt with a high work factor. This means even our own engineers cannot see your password — only you know it.

Token-Based Authentication

We use Laravel Sanctum to issue scoped API tokens per device. Tokens can be revoked instantly from your account settings. A compromised token on one device cannot be used to access another.

Brute-Force Protection

Login attempts are rate-limited. After five consecutive failures, the account is locked for 15 minutes and a warning is sent by email. Automated password-guessing tools are blocked at the API level.

HTTPS Everywhere

All traffic between your browser and our servers is encrypted over TLS 1.2+. HTTP requests are automatically redirected to HTTPS. HSTS headers ensure your browser enforces this even if a link tries to bypass it.

CSRF Protection

Every form and state-changing API request requires a CSRF token. This prevents malicious third-party websites from tricking your browser into making unauthorised requests on your behalf.

SQL Injection Prevention

All database queries are executed through Laravel's Eloquent ORM with parameterised statements. Raw user input never reaches the database query directly.

Infrastructure & Backups

The application runs in an isolated container environment with a minimal attack surface. Automated daily database backups are encrypted and stored in a separate geographic region. Backups are tested monthly.

Payment Security

We never store card numbers or full payment credentials. All payment processing is handled directly by PCI-DSS certified gateways (Stripe and m-Pesa). SPS only stores a non-sensitive reference ID.

Found a vulnerability?

We run a responsible disclosure programme. If you discover a security issue, please email us at security@sps.app before publishing it publicly. We aim to acknowledge reports within 24 hours and resolve critical issues within 72 hours.

Contact security team