Security & Data Protection

• All connections to qrpaylink.com, our dashboards and APIs use TLS 1.2+ (HTTPS).
• HTTP Strict Transport Security (HSTS) is enforced on the production domain.
• Sensitive fields (passwords, ID documents, selfies) are encrypted at rest in our database.
• Passwords are stored as one-way bcrypt hashes — they cannot be recovered, only reset.

QRPayLink does not store full card numbers, CVVs or PINs. All card data is captured directly by Paystack, which is certified PCI-DSS Level 1 — the highest standard for payment-card processors. We only receive a tokenised reference and the result (success/failure).

• JSON Web Tokens delivered as HttpOnly, Secure, SameSite=None cookies — mitigates XSS exfiltration and works across our production domain and API host.
• Server-side session invalidation on logout and password change.
• Brute-force protection on login (exponential back-off + IP rate limiting).
• Email-based password reset with single-use tokens that expire in 30 minutes.
• (Roadmap) Optional Two-Factor Authentication via authenticator apps and SMS OTP.

• Real-time transaction risk-scoring on every payment (velocity, geo, device, BIN, IP reputation).
• Continuous sanctions / PEP / watch-list screening of merchants and beneficiaries.
• Automated alerts on suspicious patterns trigger manual review.
• Dedicated Money Laundering Reporting Officer (MLRO) with escalation paths to Paystack and local Financial Intelligence Units.

• Production workloads run on hardened cloud infrastructure with network segmentation, private subnets and least-privilege IAM.
• Database access is restricted to a small set of named engineers and audited.
• Automatic backups with point-in-time recovery; backups encrypted with provider-managed keys.
• Web Application Firewall (WAF) and DDoS protection at the edge.
• Continuous dependency scanning and patching of OS, language runtimes and libraries.

• OWASP Top 10 mitigations: parameterised queries, output encoding, CSRF protection on state-changing endpoints, strict CORS.
• Content Security Policy and strict-transport security headers on all responses.
• Code review on every change, including static-analysis and linting on every pull request.
• Secrets stored in environment variables, never committed to source control.

We collect the minimum data needed to deliver the service. Merchant and customer data is not sold, shared with advertisers or used for cross-product targeting. See our Privacy Policy for the full details of what we collect and how it is used.

Documents you upload for KYC (ID, selfie, business registration) are:

• Encrypted at rest and accessible only to authorised compliance reviewers.
• Never displayed publicly, never used outside of regulatory and verification purposes.
• Retained for seven (7) years as required by AML law, after which they are securely destroyed.

If you discover a security issue in QRPayLink we want to hear about it. Please:

• Email security@qrpaylink.com with details and reproduction steps.
• Give us a reasonable time to remediate before public disclosure (typically 90 days).
• Do not access customer data, run automated scanners that affect production, or perform social-engineering attacks against staff.

We commit to acknowledge reports within 48 hours, keep you updated, and publicly credit researchers who help us harden the platform (with their permission).

In the rare event of a security incident affecting merchant or customer data, we will:

• Investigate and contain the issue under our written incident-response plan.
• Notify affected merchants and (where required by law) regulators within 72 hours.
• Publish a post-mortem describing what happened and what we changed to prevent recurrence.

Security questions? Email security@qrpaylink.com.