We take the security of your business data seriously. Here is exactly what we do to protect it.
All sensitive data — including API keys, payment credentials and personal information — is encrypted with AES-256-GCM before storage. Encryption keys are managed separately from data.
All traffic between your browser and CBMS uses TLS 1.3 minimum. Internal service-to-service communication uses mutual TLS (mTLS) with certificate verification.
Each tenant gets a unique RSA-2048 key pair. Tokens are signed with your private key and verified against your public key — cross-tenant token forgery is mathematically impossible.
Every business has a fully isolated database environment. A middleware layer enforces tenant isolation on every API request — one tenant can never access another\'s data, even with a valid token.
Every billable action, authentication event, and administrative change is written to an append-only audit log with a unique trace ID linking related events across services.
Every payment, AI call and communication event is guarded by idempotency keys — duplicate requests cannot result in double charges or double sends.
has_api_key — never the key itself.cbms_admin role — frontend hiding alone is never relied upon.If you discover a security vulnerability in CBMS, please report it responsibly before disclosing it publicly. We will acknowledge your report within 24 hours and work to resolve critical issues within 7 days.
Report security vulnerabilities to: security@cbms.com.ng
Please include steps to reproduce, severity assessment, and your contact details. We do not currently run a bug bounty programme, but we recognise significant contributions publicly with your consent.