Security & Trust

How we protect your money and your data.

This page is maintained by Koda to answer common security and privacy questions about the product. It is not a certification.

Practices

What's actually true about how Koda is built.

Banking via licensed partners

Koda is a financial technology company, not a bank. Your money sits at CBN-licensed partner banks (Wema, Providus) accessed via Anchor.

Encryption at rest & in transit

Data is encrypted in transit (TLS 1.3) and at rest. Secrets are managed by an HSM-backed key store, never in code or logs.

Tenant isolation (RLS)

Every business's data is isolated with row-level security at the database, scoped to that business by a server-verified session — deny by default.

Two-factor authentication

Sign-in supports a second factor, and sessions and devices are visible and revocable from account settings.

Audit trails

Every admin action and money movement is logged on an append-only trail — reversed, never edited, if something needs correcting.

KYC / identity

BVN and NIN are processed by licensed KYC partners (NIBSS, VerifyMe). We store only what we must, always masked in the UI.

NDPA compliance

We comply with the Nigeria Data Protection Act. You can request access, correction, or deletion of your data at any time.

What Koda doesn't hold

Card PANs and full BVN/NIN — these are tokenized by our partners, not stored on Koda's servers.

Found a security issue?

If you believe you've found a vulnerability in Koda, please report it privately so we can investigate before any public disclosure. We won't pursue legal action against good-faith, non-destructive research reported this way.

security@koda.ng
Get started

Run your business on infrastructure built to hold money.