Security
Your client list, supplier rates, and quote history are some of the most valuable assets in your business. Here's how we keep them safe.
All traffic uses TLS 1.2+ in transit. Data at rest is encrypted with AES-256 on our hosting provider's managed infrastructure.
Every request is scoped to your company's workspace. Team permissions control who inside your company can view, edit, or export.
Automated daily backups with 30-day retention, stored in a separate region from the primary database.
SafiriPro runs on managed cloud infrastructure with SOC 2 Type II certified providers. Production systems live in locked-down private networks; no database is exposed directly to the internet. Secrets are stored in a dedicated secrets manager, never in code or configuration files.
Role-based permissions — owner, admin, and member roles limit who on your team can access sensitive features like billing, integrations, and exports.
Strong password requirements — minimum length, common-password blocking, and breach-database checks on signup.
Session management — tokens are rotated regularly and revoked on password change or logout from another device.
Internal access is minimal — only a small number of engineers have production access, it's audit-logged, and it requires multi-factor authentication.
Subscription payments are processed by Paystack, a PCI DSS Level 1 certified provider. Full card numbers never touch SafiriPro's servers — we only store a tokenized reference for recurring billing.
Shareable quote links use long, unguessable identifiers — not sequential IDs. On Business and Enterprise plans you can add password protection and expiry dates so links don't remain open forever.
We monitor application health, error rates, authentication anomalies, and infrastructure integrity 24/7. If a security incident occurs, we follow a documented response playbook — contain, investigate, remediate — and notify affected customers within the timelines required by Kenya's Data Protection Act (and applicable GDPR timelines for EU data subjects).
Exportable anytime — you can export contacts, quotes, and inventory to CSV from your account at any time.
Deletable on request — close your account and we delete or anonymize your data within 90 days, subject to required retention for legal and tax purposes.
Not sold, not used for model training — we never sell your data and we never use your content to train third-party AI models.
Found something? We want to hear from you. Email security@safiripro.com with details and, if possible, reproduction steps. We commit to acknowledging reports within 2 business days and keeping you updated until the issue is resolved. Please give us a reasonable window to fix issues before public disclosure.