Security
Gigva has handled financial transaction data since 2012. Every security measure below is structural, built into how the platform works, not bolted on afterwards.
Platform Status
API Gateway
Operational
Daraja Integration
Operational
Webhook Engine
Operational
Reconciliation Engine
Operational
Database (KE)
Operational
Report Generator
Operational
Auth Service
Operational
Email Delivery
Operational
Data Protection
All customer transaction data is stored on servers physically located in Kenya. No financial or personal data leaves Kenya without your explicit written consent. Fully compliant with the Kenya Data Protection Act 2019.
Sensitive data in the database, including transaction records, personal information, and financial reports, is encrypted at rest using AES-256. Even if the storage medium were compromised, the data remains unreadable.
Every request between your browser and Gigva servers is encrypted using TLS 1.3, the latest and most secure transport protocol. Unencrypted HTTP connections are rejected outright.
Your password is never stored in readable form. We store a bcrypt hash with cost factor 12. Even Gigva engineers cannot read your password. If our database were leaked, your credentials remain protected.
Every database query throughout the application uses parameterised prepared statements. SQL injection is structurally prevented at the code level, not filtered or sanitised as an afterthought.
All account access events and data modification operations are logged with timestamps and IP addresses. Logs are retained for 12 months to support security audits and compliance requirements.
Access to customer data within Gigva is restricted by role. Engineers have no routine access to production data. All access to sensitive systems requires multi-factor authentication and is logged.
Gigva operates fully within the Kenya Data Protection Act 2019. Our Privacy Policy describes exactly what data we collect, how it is used, and your rights as a data subject under Kenyan law.
The Gigva platform is hosted on dedicated infrastructure in Kenya. We operate separate environments for development, staging, and production. No customer data is present in development or staging environments.
The Daraja API integration uses dedicated, credentialed connections per customer account. Your Safaricom M-Pesa Daraja credentials are stored encrypted and are never exposed in API responses, logs, or error messages.
The reconciliation engine processes incoming C2B webhook events with idempotency guarantees: duplicate webhook deliveries from Safaricom do not result in duplicate transaction records. All webhook endpoints validate the source and signature before processing.
If you believe you have found a security vulnerability in Gigva, please contact our security team directly. We take every report seriously, investigate promptly, and aim to communicate resolution timelines within 48 hours of receiving a valid report.
Read our Privacy Policy for full details on data handling, or get in touch with our team.