Plain-language summary of the controls, audits, and disclosures behind BomaOS. Updated as we add evidence.
Email + password (12-char minimum, bcrypt cost 12) plus mandatory TOTP for management roles. Account lockout after 5 failed attempts.
JWT signed HS256, 1-hour hard ceiling, 15-minute idle timeout, server-side revocation on logout. HttpOnly + Secure + SameSite=Strict cookies.
13 roles with permission-based visibility. Branch scoping isolates teller data per branch. Maker-checker enforced on dividends and high-value loans.
Login (12/15min), Member 360 (30/min), loan disbursement (5/min), admin writes (20/min). Fails closed under saturation.
TLS 1.2+ on all connections. HSTS enforced. M-Pesa initiator passwords RSA-OAEP encrypted with Safaricom's certificate.
Disk-level encryption on hosting provider volumes. Field-level encryption on member PII columns (KYC, ID, address) — on roadmap Q3 2026.
Every member-data access logged under DPA 2019 — actor, IP, resource, purpose. Retained 3 years minimum. Logins, MFA events, money movements, rate changes all logged.
Nightly Postgres backups via pg_dump, retained 30 days. Restore drill cadence: quarterly. Member data export remains in standard SQL — no proprietary lock-in.
One-click full export from the operator dashboard — every member, transaction, loan, and GL entry as a portable ZIP of CSVs. Standard UTF-8, opens in Excel or any database tool. ADMIN role only; rate-limited; logged in the audit trail.
A SACCO board's first technology question is reasonable: "what happens if BomaOS shuts down?" Our answer is in writing in your contract and is one click away in the dashboard.
Every SACCO record — members, savings, loans, transactions, GL — lives in standard Postgres tables. You can re-import the same schema anywhere.
An ADMIN can produce a complete ZIP of the SACCO ledger from the dashboard at any time. Sensitive columns (password hashes, MFA secrets) are never included.
For SACCOs that want a belt-and-braces guarantee: a quarterly snapshot of code + schema is held by an independent escrow agent and released to you if BomaOS ever ceases operations. Available on the Taifa tier — talk to sales.
We publish what we have, what we're working on, and what we don't yet hold. No vague claims.
In place — access logging on all member data, purpose-of-access required, retention policy, biometric consent capture.
ODPC data controller registration: in process
In place — SASRA Forms 2A through 2H + 4B auto-generated. Capital adequacy and liquidity statements ready for inspection.
In place — automated AML scanner, MLRO dashboard, goAML/FRC submission flow. Sanctions and PEP screening on KYC roadmap.
Sandbox integrated — production accreditation in progress.
Not yet certified. Internal controls map to ISO 27001:2022 Annex A as informational reference. Formal audit planned post-funding.
Not applicable today. BomaOS does not process card data. If we add card issuance, this becomes scope.
A summary report and remediation log will be published here once the engagement concludes. We will publish: auditor name (with permission), finding count by severity, median time-to-fix. We will NOT publish specific exploitation paths or unpatched details.
Last updated: April 2026
If you believe you've found a security issue affecting BomaOS or any SACCO running on it, we want to hear from you.
Email info@bomaos.app
PGP key: published at /.well-known/security.txt (coming)
Acknowledgement: within 2 business days
Don't access data you don't own. Don't run automated scans against production without notice. Give us reasonable time to fix before public disclosure (90 days standard).
No legal action against good-faith researchers. Public credit (with your permission) once the issue is fixed. Bounty program planned post-funding.
Live status page coming soon at status.bomaos.app — green/red dots for every public endpoint, last 90 days of incidents, and historical uptime.
We share architecture, controls, and audit artefacts under NDA with serious prospects. Walk through with your CISO, IT lead, or board chair.