Security

Last updated 8 June 2026

Kycaro handles sensitive identity documents, so we build security into how the service works. This page describes the measures in place today and what we are still improving. We'd rather be honest about both.

What we do today

• Encryption in transit — all traffic is served over HTTPS with automatically renewed TLS certificates.
• Private document storage — uploaded IDs and selfies are never stored in a public location. They are streamed only to you or an authorised reviewer through an authenticated route, never as public files.
• Hashed passwords — passwords are stored only as a salted bcrypt hash; we cannot see your password.
• Session security — sessions use signed, HTTP-only cookies.
• Payment isolation — payments are handled by Paystack, a PCI-DSS compliant processor. Your full card details never touch our servers.
• Upload safeguards — uploads are limited by file type and size, and protected against path-traversal tricks.
• Least-access review — only an authorised admin can view submissions for review.

What we are improving

Security is ongoing. Planned enhancements include encryption of stored documents at rest, detailed access logging, a formal data-retention and deletion schedule, and independent security testing. We will update this page as these land.

Reporting a vulnerability

If you believe you have found a security issue, please tell us before disclosing it publicly. Email hello@kycaro.com with details and steps to reproduce, and we will work with you to resolve it.