This page is maintained by Koda to answer common security and privacy questions about the product. It is not a certification.
Koda is a financial technology company, not a bank. Your money sits at CBN-licensed partner banks (Wema, Providus) accessed via Anchor.
Data is encrypted in transit (TLS 1.3) and at rest. Secrets are managed by an HSM-backed key store, never in code or logs.
Every business's data is isolated with row-level security at the database, scoped to that business by a server-verified session — deny by default.
Sign-in supports a second factor, and sessions and devices are visible and revocable from account settings.
Every admin action and money movement is logged on an append-only trail — reversed, never edited, if something needs correcting.
BVN and NIN are processed by licensed KYC partners (NIBSS, VerifyMe). We store only what we must, always masked in the UI.
We comply with the Nigeria Data Protection Act. You can request access, correction, or deletion of your data at any time.
Card PANs and full BVN/NIN — these are tokenized by our partners, not stored on Koda's servers.
If you believe you've found a vulnerability in Koda, please report it privately so we can investigate before any public disclosure. We won't pursue legal action against good-faith, non-destructive research reported this way.
security@koda.ng