Security & Trust

Back to Legal hub
📋 Platform rules

Security & Trust

What we do to keep your money and your data safe. Every claim on this page is substantiated with the specific control that backs it.

Version 1.0 Effective 1 July 2026

Security & Trust

Qonstruct-Mart holds escrowed funds and sensitive personal data. This page explains — with specifics — what we do to keep both safe. Every statement below maps to a concrete control we can demonstrate to an auditor.

Certifications & standards

| Standard | Status | Notes | |---|---|---| | NDPA / NDPR | Compliant | DPO registered with NDPC; annual DPCO audit by KPMG Nigeria | | ISO 27001 | In progress (Stage 1 audit Q3 2026) | Gap-assessment complete; SoA drafted; stage-2 targeted Q1 2027 | | PCI DSS | Out of scope (SAQ-A) | We never touch full card PANs — Paystack + Flutterwave handle the vault | | CBN cyber-security framework | Aligned | We are not a bank; the framework informs our controls where applicable | | NITDA cyber-security standards | Aligned | Full mapping available on request |

When we say "in progress", we mean an engagement is actively underway with a named auditor and a milestone plan — not aspiration.

What we protect + how

Money in escrow

Held at Paystack / Flutterwave in segregated merchant sub-accounts. We do not custody funds ourselves. Release is milestone-gated + investor- voted where applicable, with the 80% financier cap enforced as a hard system rule (any allocation that would breach it is refused at commitment and re-checked at every draw-down).

Personal data

  • Envelope encryption at rest — AES-256-GCM with per-tenant DEK,

master KEK stored in a separate secret store.

  • TLS 1.3 in transit — every request; TLS 1.2 refused.
  • Hashed identifiers — phone, BVN, NIN are hashed at the edge; the

raw value never reaches our application database.

  • Region-locked hosting — production data in Lagos (AWS af-west-1).

See Data Protection Policy §Cross-border transfer for the exhaustive transfer list.

Documents

  • Signed URLs only — every document access is short-lived, single-

use, and tied to the requesting user's session.

  • Region scope on read — regional staff can only pull documents for

the states they cover.

  • Access log — every PII/document read is recorded in the audit-v2

hash chain (see below).

Identity

  • KYC + face vector via Smile Identity — same vendor Kuda, Carbon,

and PiggyVest use. BVN + NIN + selfie liveness check. Stored as an irreversible vector, not the source video.

  • High-risk site check-in — oil, gas, demolition, and work-at-height

sites require a face match at the gate against the enrolled vector.

Authentication

  • Passkeys (WebAuthn) — preferred sign-in. Phishing-resistant.
  • TOTP MFA — required for staff, wallet withdrawals, and every

admin write action.

  • Phone-number auth — with SIM-swap detection using the

carrier snapshot at OTP-send vs OTP-verify.

  • Cooling-off holds — actions of high consequence (change email,

withdraw > ₦5M, replace passkey) sit in a 12–48-hour hold with all your devices notified.

  • Device-bind — every session is bound to a device fingerprint;

session hijack attempts trigger revocation.

  • Mobile attestation — iOS App Attest + Android Play Integrity

verify the app is genuine before we mint a session.

Audit trail — "blockchain-stamped"

The audit-v2 subsystem records every action that touches PII, money, or investor votes in a hash chain: each event's hash includes the previous event's hash. The chain head is notarised monthly to a public timestamping service so we can prove no historical record has been altered.

This is what we mean by "blockchain-stamped" — the notarisation is public + verifiable + doesn't cost each user a wallet. You can request verification of any specific event you took (or that touched your account) at audit@qonstruct-mart.com; the response includes the chain proof.

Anti-fraud

  • Rule engine on every submission (site reports, variation flags,

onboarding). Flagged records are reviewed by Trust & Safety, never auto-suspended.

  • Cooling-off holds — as above.
  • Device fingerprint + session binding — detects credential-theft

reuse.

  • SIM-swap signals — refuse OTP flow if carrier changed between

send + verify.

  • Timing-constant sign-in — prevents user-existence probing.
  • SSRF allowlist — outbound HTTP is restricted to a fixed set of

partner hosts; no arbitrary URLs.

Vulnerability disclosure

Found a vulnerability?

Email security@qonstruct-mart.com with a description + reproduction steps. We will:

  • Acknowledge within 24 hours.
  • Publish a fix or a mitigation plan within 7 days for critical

issues, 30 days for high, 90 days for medium/low.

  • Credit you publicly (with your permission) in our security-changelog.
  • Not pursue legal action against researchers acting in good faith.

Change log

  • v1.0 (July 2026) — first public version.

Contact

  • security@qonstruct-mart.com — vulnerability disclosures
  • dpo@qonstruct-mart.com — data-protection questions
  • support@qonstruct-mart.com — everything else

Questions about this policy? Email legal@qonstruct-mart.com.