Security at QuataPay

Money safety

Customer balances are held as integer XAF — there is no float arithmetic anywhere in the ledger. Every transfer is double-entry, written under SELECT … FOR UPDATE row locks, and protected by a database-level CHECK (balance >= 0) constraint. Idempotency keys on every money-moving endpoint mean network retries can never double-charge.

Account security

• Passwords hashed with bcrypt cost 12; PINs are rate-limited with a 5-attempt lockout.
• CSPRNG OTPs (six digits, five-minute TTL) with attempt limits on verification AND send.
• JWTs use HS256 with strict claim validation; refresh tokens rotate-on-use under DB row locking.
• Optional 2FA via authenticator apps; recovery codes are generated, displayed once, and never echoed to the server.
• Admin actions require a per-request IP allowlist check on top of the JWT.

Infrastructure

• TLS 1.2+ on every external surface. HSTS preload eligible.
• Mobile clients (iOS + Android) certificate-pin the production API host.
• PII columns (KYC ID numbers, NIU identifiers, terminal HMAC secrets) are encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256).
• Mobile-money webhook callbacks are HMAC-signed with a ±5-minute replay window and a 24-hour nonce dedupe.

Reporting a vulnerability

We welcome reports from security researchers. Please email security@quatapay.com with reproduction steps and any supporting material. We aim to acknowledge within two business days. We do not pursue legal action against good-faith research; please give us a reasonable window to remediate before public disclosure.

Regulatory posture

QUATA Digital operates under the regulatory frameworks of the Bank of Central African States (BEAC) and the Central African Banking Commission (COBAC). KYC verification is required before money movement, and we do not facilitate cryptocurrency transactions in line with BEAC Circular 2023/012.