Built for African business — secured to global standards
POPIA-aligned, encrypted end-to-end, with audited payment processors and database-enforced tenant isolation.
Encrypted in transit & at rest
Every request is TLS 1.3. Customer data, orders and credentials are encrypted at rest using AES-256 by our managed Postgres provider.
Row-Level Security on every table
We use Postgres Row-Level Security (RLS). A user can never read or write another tenant's row — enforced by the database, not the app.
Two-factor authentication
TOTP-based 2FA available on every account. HIBP password breach checks block known-compromised passwords at signup.
Rate-limited public APIs
Every public endpoint (webhooks, share targets, vitals) is rate-limited per IP via a server-side bucket store, with abuse logged to our error stream.
Auditable error & event log
All server errors and sensitive events flow into an internal observability table — not a third-party. Your customer data never leaves our infrastructure.
Signed webhooks
Inbound payment & WhatsApp webhooks are HMAC-verified (SHA-512 for Paystack, SHA-256 for WhatsApp) before any record is written.
POPIA & data protection
Ubuntu BizBox is built to help South African businesses comply with the Protection of Personal Information Act (POPIA). Customer records you collect through our platform stay your property — we process them on your behalf as an operator.
You can export, anonymise or delete any customer record from your dashboard. Data subject requests (access, correction, deletion) can be served end-to-end without a support ticket.
For Kenyan businesses we follow the equivalent obligations under the Data Protection Act, 2019. Our M-Pesa integration uses Safaricom's official Daraja API — no third-party bridges, no shared accounts.
Who handles your data
We use a small, audited set of named sub-processors. No anonymous third parties touch your customers.
Have a security question?
For vulnerability reports or compliance questionnaires, reach our team — we reply within one business day.