Security & Trust
Qonstruct-Mart holds escrowed funds and sensitive personal data. This page explains — with specifics — what we do to keep both safe. Every statement below maps to a concrete control we can demonstrate to an auditor.
Certifications & standards
| Standard | Status | Notes | |---|---|---| | NDPA / NDPR | Compliant | DPO registered with NDPC; annual DPCO audit by KPMG Nigeria | | ISO 27001 | In progress (Stage 1 audit Q3 2026) | Gap-assessment complete; SoA drafted; stage-2 targeted Q1 2027 | | PCI DSS | Out of scope (SAQ-A) | We never touch full card PANs — Paystack + Flutterwave handle the vault | | CBN cyber-security framework | Aligned | We are not a bank; the framework informs our controls where applicable | | NITDA cyber-security standards | Aligned | Full mapping available on request |
When we say "in progress", we mean an engagement is actively underway with a named auditor and a milestone plan — not aspiration.
What we protect + how
Money in escrow
Held at Paystack / Flutterwave in segregated merchant sub-accounts. We do not custody funds ourselves. Release is milestone-gated + investor- voted where applicable, with the 80% financier cap enforced as a hard system rule (any allocation that would breach it is refused at commitment and re-checked at every draw-down).
Personal data
- Envelope encryption at rest — AES-256-GCM with per-tenant DEK,
master KEK stored in a separate secret store.
- TLS 1.3 in transit — every request; TLS 1.2 refused.
- Hashed identifiers — phone, BVN, NIN are hashed at the edge; the
raw value never reaches our application database.
- Region-locked hosting — production data in Lagos (AWS af-west-1).
See Data Protection Policy §Cross-border transfer for the exhaustive transfer list.
Documents
- Signed URLs only — every document access is short-lived, single-
use, and tied to the requesting user's session.
- Region scope on read — regional staff can only pull documents for
the states they cover.
- Access log — every PII/document read is recorded in the audit-v2
hash chain (see below).
Identity
- KYC + face vector via Smile Identity — same vendor Kuda, Carbon,
and PiggyVest use. BVN + NIN + selfie liveness check. Stored as an irreversible vector, not the source video.
- High-risk site check-in — oil, gas, demolition, and work-at-height
sites require a face match at the gate against the enrolled vector.
Authentication
- Passkeys (WebAuthn) — preferred sign-in. Phishing-resistant.
- TOTP MFA — required for staff, wallet withdrawals, and every
admin write action.
- Phone-number auth — with SIM-swap detection using the
carrier snapshot at OTP-send vs OTP-verify.
- Cooling-off holds — actions of high consequence (change email,
withdraw > ₦5M, replace passkey) sit in a 12–48-hour hold with all your devices notified.
- Device-bind — every session is bound to a device fingerprint;
session hijack attempts trigger revocation.
- Mobile attestation — iOS App Attest + Android Play Integrity
verify the app is genuine before we mint a session.
Audit trail — "blockchain-stamped"
The audit-v2 subsystem records every action that touches PII, money, or investor votes in a hash chain: each event's hash includes the previous event's hash. The chain head is notarised monthly to a public timestamping service so we can prove no historical record has been altered.
This is what we mean by "blockchain-stamped" — the notarisation is public + verifiable + doesn't cost each user a wallet. You can request verification of any specific event you took (or that touched your account) at audit@qonstruct-mart.com; the response includes the chain proof.
Anti-fraud
- Rule engine on every submission (site reports, variation flags,
onboarding). Flagged records are reviewed by Trust & Safety, never auto-suspended.
- Cooling-off holds — as above.
- Device fingerprint + session binding — detects credential-theft
reuse.
- SIM-swap signals — refuse OTP flow if carrier changed between
send + verify.
- Timing-constant sign-in — prevents user-existence probing.
- SSRF allowlist — outbound HTTP is restricted to a fixed set of
partner hosts; no arbitrary URLs.
Vulnerability disclosure
Found a vulnerability?
Email security@qonstruct-mart.com with a description + reproduction steps. We will:
- Acknowledge within 24 hours.
- Publish a fix or a mitigation plan within 7 days for critical
issues, 30 days for high, 90 days for medium/low.
- Credit you publicly (with your permission) in our security-changelog.
- Not pursue legal action against researchers acting in good faith.
Change log
- v1.0 (July 2026) — first public version.
Contact
- security@qonstruct-mart.com — vulnerability disclosures
- dpo@qonstruct-mart.com — data-protection questions
- support@qonstruct-mart.com — everything else