Security at CBMS

We take the security of your business data seriously. Here is exactly what we do to protect it.

AES-256 Encryption at Rest

All sensitive data — including API keys, payment credentials and personal information — is encrypted with AES-256-GCM before storage. Encryption keys are managed separately from data.

TLS 1.3 in Transit

All traffic between your browser and CBMS uses TLS 1.3 minimum. Internal service-to-service communication uses mutual TLS (mTLS) with certificate verification.

RS256 JWT Authentication

Each tenant gets a unique RSA-2048 key pair. Tokens are signed with your private key and verified against your public key — cross-tenant token forgery is mathematically impossible.

Tenant Isolation

Every business has a fully isolated database environment. A middleware layer enforces tenant isolation on every API request — one tenant can never access another\'s data, even with a valid token.

Full Audit Logging

Every billable action, authentication event, and administrative change is written to an append-only audit log with a unique trace ID linking related events across services.

Idempotent Operations

Every payment, AI call and communication event is guarded by idempotency keys — duplicate requests cannot result in double charges or double sends.

Infrastructure Security


Payment Security


AI and API Key Security


Access Control


Compliance

NDPR Compliant
Nigeria Data Protection Regulation
SSL / TLS 1.3
Encrypted in transit
PCI-DSS Aware
Card data handled by certified processors

Responsible Disclosure

If you discover a security vulnerability in CBMS, please report it responsibly before disclosing it publicly. We will acknowledge your report within 24 hours and work to resolve critical issues within 7 days.

Report security vulnerabilities to: security@cbms.com.ng
Please include steps to reproduce, severity assessment, and your contact details. We do not currently run a bug bounty programme, but we recognise significant contributions publicly with your consent.