Security & Trust

Security is not a feature. It's a responsibility.

We are building financial infrastructure people will rely on to save, contribute, and access capital together. Protecting funds, data and trust is the work — at every level of the platform.

01 · Our approach

A security-first architecture, grounded in three principles.

01 · CUSTODY

Protect user funds

All value movement on the platform is tracked, recorded, and auditable. As we scale, funds will be held and processed through licensed financial partners and secure payment rails appropriate to each region.

02 · DATA

Protect user data

We minimise the data we collect and secure what we store. Personal and financial information is protected with PBKDF2-SHA256 password hashing (260,000 iterations), industry-standard encryption in transit, and strict access controls.

03 · INTEGRITY

Build for trust at scale

Every transaction, contribution, and payout is logged and traceable. Our systems are designed to increase transparency while making misuse and manipulation structurally hard — not optional.

02 · Data protection & privacy

Aligned with global privacy standards from day one.

We are committed to aligning with global data protection standards as we expand. Privacy is not retrofitted — it is part of how the platform is engineered.

  • GDPR-aligned — General Data Protection Regulation compliance for users in the European Union
  • Data minimisation — we collect only what is necessary to deliver the service
  • User rights — access, correction, and deletion of personal data on request
  • Encryption in transit & at rest — modern cryptographic standards across all data flows
  • Regional adaptation — as we expand, we adapt to local data protection laws and frameworks
03 · Account & access security

Sensitive data is only visible to clearly defined roles.

SOHANA enforces role-based access control across every administrative and operational function. Each role sees only what its responsibilities require — verified at every request.

Role
User data
Funds
KYC
Sys config
Member Standard user account
Operations Day-to-day support
Compliance AML / KYC review
CFO / CCO Financial controllers
CTO Engineering lead
CEO Executive
Full access Scoped access No access
SECURE AUTH
PBKDF2-SHA256 password hashing · 260,000 iterations · per-user random salt
SESSION SECURITY
SameSite=Lax cookies · server-side session validation · automatic logout on revocation
MFA · COMING Q3 2026
SMS & TOTP authenticator support for sensitive actions and admin logins
DEVICE MONITOR · COMING
Device fingerprinting and session monitoring with anomaly alerts
04 · Platform integrity

Every transaction is logged, traceable, and verifiable.

Contributions, payouts, and balances are accurate because every operation leaves an audit trail. We are building safeguards that detect anomalies the moment they occur.

  • Real-time transaction logging — every wallet movement is captured the moment it happens, with cryptographic linkage between entries
  • Automated anomaly checks — pattern monitoring for unusual volume, frequency, or timing of operations
  • Audit trails on every operation — admin actions, KYC decisions, freeze/unfreeze events, all timestamped and attributed
  • Internal controls for organisers — circle creators and pool admins operate within scoped permissions, never arbitrary ones
05 · Payments & financial infrastructure

Built on licensed rails, region by region.

As we integrate real-money functionality, every market gets the rails that match its regulatory and infrastructure realities. We never run unlicensed value movement.

Licensed payment providers — partnerships in progress with regulated EMIs and PIs in each launch market
Secure APIs — TLS 1.3, request signing, replay protection on every external call
Region-specific rails — bank transfers, mobile money, card networks — chosen per jurisdiction
06 · Security roadmap

Implementation phased to match risk with maturity.

Security is an ongoing process, not a milestone. Here's what is in place today, what's shipping next, and what we are building toward as we scale toward real-money operation.

Phase 01
Q2 2026 · Live

Foundation security · MVP

  • PBKDF2-SHA256 password hashing
  • Per-user random salts
  • SameSite session cookies
  • Role-based access (RBAC)
  • Server-side session validation
  • Account freeze / unfreeze controls
  • HTTPS enforcement
  • KYC submission + review pipeline
Phase 03
Q4 2026 — Q1 2027

Real-money & fraud detection

  • Licensed EMI / PI partnerships live
  • Funds segregation operational
  • Real-time fraud scoring engine
  • Transaction velocity controls
  • AML transaction monitoring
  • SOC 2 Type I readiness
  • Encrypted backups with key rotation
Phase 04
2027 +

Enterprise-grade & multi-jurisdiction

  • Regulatory authorisations live
  • SOC 2 Type II certification
  • ISO 27001 certification
  • HSM-based key management
  • Cross-border compliance frameworks
  • Continuous penetration testing
  • Cryptographic transaction proofs

Specific timelines depend on regulatory approval cadence, partner availability, and capital deployment. Updates published quarterly.

07 · Continuous improvement

Security is a practice, not a product.

The threat landscape changes monthly. Our infrastructure, monitoring, and review cadence must too. We commit to ongoing internal review, third-party audits as we scale, and adaptation as new risks and technologies emerge.

If a security issue arises — our commitments

We treat incidents with the seriousness they deserve. We do not minimise, we do not delay, and we do not communicate by silence.

STEP 01 · ACT

Act quickly

Contain the issue and protect affected users immediately, before public disclosure.

STEP 02 · COMMUNICATE

Communicate clearly

Notify affected users directly, with plain-language information about what happened and what to do.

STEP 03 · RESOLVE

Resolve responsibly

Publish a post-incident report describing root cause and the changes made to prevent recurrence.

08 · Shared responsibility

Security is built into the platform — and shared with our users.

The strongest infrastructure can still be undermined by a weak password or a moment of phishing. Here's how to do your part.

🔑

Strong, unique passwords

Use a long, unique password per service. We recommend a password manager — and we'll prompt you when yours looks weak.

Phishing awareness

SOHANA will never ask for your password by email, SMS, or phone. If a message looks off, do not click — log in directly via sohana.app.

Responsible group participation

Only join circles with people you actually trust. Use our reporting tools if a member or organiser behaves outside the rules.

Sohana is built on trust. Security is how we protect it.

Have a security concern, a vulnerability to report, or want to learn more about our practices?

Join the platform Read our story

Report a vulnerability: security@sohana.app