Security & compliance your regulator can sign off on.
Aminata.ai is engineered for banks, Saccos, mobile money operators and regulated enterprises. This page is our public commitment on how we protect your data, your customers and your licence to operate.
Defence in depth, by design.
Every layer — edge, application, data and human — is hardened and independently auditable.
TLS 1.2+ in transit, AES-256 at rest, KMS-managed keys, and an encrypted voiceprint vault for VoxID.
SSO, MFA, SCIM provisioning, role-based access control, OAuth 2.0, signed API tokens, least-privilege everywhere.
Tamper-evident logs with hash-chain integrity. Every analyst decision is signed, time-stamped and exportable to your regulator.
Configurable data residency, data minimisation by default, customer-controlled retention, and right-to-erasure workflows.
Continuous dependency scanning, secure-SDLC, code reviews, secret scanning, and third-party penetration testing.
Sensitive actions require analyst approval. Supervisor dashboards, four-eyes controls and escalation policies enforce governance.
Hardened at the perimeter.
Aminata.ai sits behind Cloudflare's global anycast network. Bad traffic is dropped before it ever reaches our origin.
330+ PoPs absorb volumetric attacks. Managed WAF rulesets block OWASP Top 10, zero-day CVEs and credential-stuffing patterns.
Suspicious automation is challenged with a managed challenge while verified bots (Googlebot, monitoring) and real humans pass through untouched.
DDoS, WAF spike and origin-health alerts page our on-call team within seconds — no need to enable "Under Attack" mode for normal operations.
Aligned to the frameworks your regulator already trusts.
Independent certifications are issued and renewed on a rolling basis. Request the current SOC 2 / ISO report and DPIA template from your account team.
The same platform — tuned to your supervisory regime.
Aligned to CBK Risk Management Guidelines, KYC/AML, sanctions screening and the BCBS 239 data-quality principles.
Built for SASRA reporting cadence, member-data protection and tiered approval matrices for fraud and disbursement events.
Telcos, mobile money providers and insurers get full evidence packs, signed audit trails and regulator-ready exports.
A defined playbook, every time.
Whenever something abnormal happens — DDoS surge, suspicious sign-in pattern, dependency CVE — this is how we react.
- •T+0Detect
Automated monitors, WAF events and customer reports open an incident.
- •T+15mTriage
Severity assigned (Sev-1 to Sev-4). On-call engineer + security lead engaged.
- •T+60mContain
Mitigation rolled out at the edge (Cloudflare), in app, or at the data layer.
- •T+24hNotify
Customers notified per contract. Regulator notification when materiality thresholds are met.
- •T+5dPost-mortem
Blameless RCA shared with affected customers; preventive actions tracked to closure.
The vendors that help us serve you.
A current list, kept up to date. Material changes are communicated in advance.
| Vendor | Purpose | Region |
|---|---|---|
| Cloudflare | DDoS protection, WAF, CDN, DNS | Global anycast |
| Supabase / Postgres | Application database & auth | EU / configurable |
| OpenAI / Anthropic via gateway | LLM inference (no training) | EU/US |
| Resend / Mailgun | Transactional email delivery | EU/US |
See something? Tell us — we'll fix it.
We welcome reports from security researchers. Please email security@aminata.ai with reproducible steps. We commit to acknowledge within one business day, work in good faith on a fix, and credit you on this page once resolved.