Conveya is built for companies managing hundreds of millions of naira in property sales. We take security seriously at every layer of the stack.
Our Commitment
Security is not a feature we ship when it is convenient — it is the foundation everything else is built on. The companies that use Conveya trust us with sensitive financial data, customer PII, and commission records that have real legal and regulatory weight.
Below is an overview of how we protect the data entrusted to us. If you have specific security questions before signing up, write to us at security@conveya.ng.
How We Protect You
All data is encrypted in transit over TLS 1.2+. Data at rest is encrypted at the database layer. Backups are encrypted before storage and retained for 30 days with point-in-time recovery.
Every record carries an organisation ID. Application-level filtering enforces tenant boundaries on every query. Postgres Row-Level Security adds a defence-in-depth layer — a misconfigured query cannot leak cross-tenant data.
Passwords are hashed with Argon2id. Sessions use short-lived JWT access tokens paired with HTTP-only refresh cookies. Role-based access control governs every action within an organisation.
Conveya never holds customer funds. Money flows directly between buyers and companies through their own Paystack or Flutterwave merchant accounts. We are a software vendor, not a payment processor — we carry no merchant risk on your transactions.
The platform runs on DigitalOcean App Platform with managed Postgres and Redis. Production and development environments are fully isolated. All deployments go through automated CI/CD pipelines with zero-downtime rollouts.
Every significant action is recorded in a tamper-resistant audit log — who did what, when, and from which context. Financial records are soft-deleted only, never destroyed. Audit data is retained for the life of the account.
Engineering Practices
Dependency vulnerability scanning on every build
Secrets managed through environment-level config, never in source code
Database connections over private networking — not public internet
Rate limiting and brute-force protection on all authentication endpoints
Webhook payloads verified by signature before processing
Idempotency keys on all outbound gateway calls to prevent duplicate charges
Responsible Disclosure
We take security reports seriously. If you have found a potential vulnerability in Conveya, please report it privately to us so we can address it before disclosure. We commit to acknowledging your report within 2 business days and keeping you updated as we investigate.
Report a VulnerabilityPlease do not publicly disclose security issues until we have had a chance to address them.