Skip to content
Security posture

Built to the standards a regulator would ask for

YT Finance handles BVN, banking, and lending data. We treat that with the seriousness it deserves — encrypted in transit and at rest, with controls that map to NDPR and CBN guidance.

Encryption everywhere

TLS 1.2+ for all traffic. AES-256 at rest for borrower data. Field-level encryption for BVN, account numbers and identity artefacts.

Production controls

Two-factor authentication mandatory for all staff. IP allowlists for production access. Secrets rotated quarterly and stored in managed vaults.

Backups & recovery

Point-in-time database backups retained 30 days. Quarterly recovery drills with documented RPO under 5 minutes.

Compliance

What we align to.

NDPR (Nigeria Data Protection Regulation)

Borrower data processing flows are mapped, consent is captured at collection, and a data protection officer is named in our privacy policy.

CBN Risk-Based Cybersecurity Framework

Our controls map to the CBN's published framework for OFIs and PSPs — access management, incident response and vendor risk.

PCI DSS scope reduction

YT Finance does not store card data. All card payments are tokenised by PCI-DSS Level 1 partners (Flutterwave, Paystack).

ISO 27001 alignment

Our internal information security management system is built against ISO 27001 controls. Formal certification is on the 2026 roadmap.

Infrastructure

The stack underneath.

  • Google Cloud Firestore — regional data residency where required
  • Netlify edge with HSTS preload, COOP and tight CSP headers
  • Firebase Authentication with MFA and session timeouts
  • Signed webhooks for every disbursement and repayment
  • Immutable audit log for every workspace action
  • Quarterly third-party penetration testing
  • Continuous dependency vulnerability scanning
  • Secrets scanning enforced in CI on every commit
Responsible disclosure

Found a vulnerability? Tell us.

If you've identified a security issue in YT Finance, please email security@ytfinancehq.com with a description, reproduction steps, and any supporting material.

We commit to: acknowledging your report within 2 business days, providing a status update within 7 days, and crediting researchers (with permission) in our security hall of fame once a fix is shipped. Please don't access more data than necessary to demonstrate the issue, and don't share details publicly until we've had a reasonable chance to remediate.

See security.txt

Questions about our controls?

We're happy to share our SOC-style security questionnaire, sub-processor list and pen-test summaries with enterprise customers under NDA.

Email security team Talk to sales