Inopay Trust Center
How your funds and data are protected, how our partner SGIs (licensed brokers) are vetted, and how you can audit any attestation the platform issues.
1Non-custodial architecture
Inopay is never custodian of your cash or securities. Here's the exact flow for every order placed from the platform.
Inopay orchestrates the order, calls the SGI's API and cryptographically seals the audit ledger — without ever holding the funds. If Inopay ever shuts down, your securities remain in your name at the Central Depositary. They can be transferred on demand to any other licensed SGI.
2Operational security
The concrete measures applied to the platform, the code, the data and internal access.
Encryption in transit and at rest
TLS 1.3 only for communications. AES-256-GCM for storage, with quarterly key rotation via HashiCorp Vault.
Offline Ed25519 signatures
Every KYC attestation is cryptographically signed. The public key is available at /.well-known/inopay-kyc-pubkey.pem for verification without any network call.
Append-only audit ledger
Every sensitive action (KYC submission, consent, SGI access, revocation) is written into a hash-chained ledger that cannot be altered after the fact. 5-year retention.
MFA mandatory for admins
Internal platform access protected by TOTP (AAL2 level). No direct access to production data without second-factor authentication.
Sovereign hosting
Infrastructure hosted in Europe and West Africa. No Lovable dependency, no Supabase cloud. Source code and data under direct control.
Regular pentests
Automated scans (nmap, nikto, nuclei, trivy) + code review before every major release. Public responsible disclosure at security@getinopay.com.
3Regulation & compliance
Inopay operates in strict compliance with the regulatory frameworks of the three markets we cover. Every partner SGI must hold an active licence.
Conseil Régional de l'Épargne Publique et des Marchés Financiers. Regulator of the BRVM market across the 8 member states of the West African Monetary Union.
Commission de Surveillance du Marché Financier de l'Afrique Centrale. Regulator of the BVMAC market across the 6 member states of the Central African Economic Community.
Securities and Exchange Commission of Ghana. Regulator of the GSE market and of LDM brokers authorised to execute for foreign investors.
Inopay licensing roadmap
We will file a licence application as a "mutualised KYC and order-routing service provider" with the CREPMF within 18 months of commercial launch. The detailed timeline and intermediate steps (advisory board, audits, ISO 27001) are shared quarterly with partner SGIs through the dedicated portal.
4Verify an attestation
Any partner SGI can verify the authenticity of a KYC attestation issued by Inopay without even calling our API, thanks to our Ed25519 public key.
inopay-kyc-v1)
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAStd6+a3SZQ9IakZRdmsC+6nwgLUezoModTB0Vaud2WE=
-----END PUBLIC KEY-----
For programmatic verification, the POST /v1/kyc/verify-attestation endpoint returns the same result. The key is published at https://api.getinopay.com/.well-known/inopay-kyc-pubkey.pem.
5Partner SGI trust registry
Public list of partner SGIs and brokers, with their integration status and regulatory licence. Updated in real time.
SGIs in production
Public list available at /trust-registry. Each entry shows the licence number, country, covered markets and date of the latest audit.
SGIs in pilot phase
Ongoing integrations (sandbox + UAT) are visible in a separate section of the registry. No real transactions before go-live is announced.
Exclusions
Any SGI whose licence is suspended or that breaches our security standards is immediately removed from the registry. The revocation history is public.
Responsible vulnerability disclosure
Discovered a flaw or suspicious behaviour? Contact our security team. We acknowledge receipt within 24 h and ship fixes with public credit if you'd like.