Security at the centre of core banking

Defence in depth

No single control is load-bearing on its own. Encryption protects data at rest; tenant isolation contains blast radius; an immutable audit log makes every action provable; and privacy controls enforce data-subject rights and breach-notification deadlines as platform behaviour, not policy documents.

What the platform protects

• Encryption. Versioned AES-256-GCM at rest with automated key rotation across 130+ columns and 40+ tables (PCI DSS 3.6.3); TLS in transit.
• Identity & access. TOTP two-factor authentication, role-based least-privilege access, and session controls to PCI DSS 8.1.8 (idle timeout, JWT rotation, account lockout).
• API security. HMAC-SHA256 authentication, 17 granular scopes, SSRF prevention, constant-time key validation, rate limiting, and CSRF double-submit cookies.
• Multi-tenant isolation. Logical isolation enforced at the data and query layer; per-tenant configuration and hosting jurisdiction.
• Immutable audit trail. Hash-chain audit log with full action context and ten-year retention; examiner-ready exports.
• PII protection. Automatic masking of BVN, NIN, PAN, and JWT tokens in all log output; audit and operational logs kept separate.
• Data privacy (NDPA 2023 / GAID). Data-subject-rights workflows (§§34–38), a 72-hour NDPC breach-notification tracker (§40), and DPO & registration records (§32 / §44).

Certification posture

FinovaMax is engineered against PCI DSS v4.0 and ISO 27001:2022 control standards today — controls implemented, not yet certified. The formal QSA-led audit and certification path is co-timed with our founding customer's go-live: that production environment becomes the certified reference architecture for the public certification statement.