Trust centre
The detail behind what we say about security.
Where the data sits, who has access, who else is in the picture, what we plan to be audited against. Published openly so you don't have to ask.
Security
How we run security
Where the data lives
Johannesburg data centre only. No failover region in another country, no cross-border copies
Encryption
TLS 1.2 or higher in transit. Encrypted block volumes at rest
Where the models run
On our own servers in Johannesburg. We do not call third-party AI providers
How people sign in
Hardware key for super-admin. Short-lived (15 minute) tokens for tenant users
Audit trail
Tamper-evident records across admin actions, royalty payments and the pharma chain of custody
Certifications planned
ISO 27001 in 2027. POPIA Information Officer registered by June 2026
Sub-processors
Other companies in the picture
Every third party that has any access to our systems is listed here. When this list changes, we tell our customers in writing.
| Vendor | Purpose | Jurisdiction |
|---|---|---|
| Vultr | Compute, storage and object storage (Johannesburg region only) | ZA |
| MTN MoMo | Mobile money payouts to healer wallets | ZA |
| HashiCorp Vault | Custody of our signing keys (we host this ourselves in Johannesburg) | ZA (self-hosted) |
| Stripe | Billing for corporate customers. No personal data on healers goes here | IE → ZA |
| Odoo | CRM and blog content. No personal data on healers, no harvest records | ZA-hosted instance |