Trust is engineered,
not asserted.
Asiri is the operating layer for privacy and trust work. We hold ourselves to the same evidentiary bar we ship to customers: controls in code, audit logs on by default, and residency options built for African teams.
Customer-facing proof starts here.
What customers can request
- Security overview and architecture notes.
- Sub-processor register and data-location summary.
- Penetration-test summary when available under NDA.
- Current assurance roadmap and certification boundaries.
Strong cryptography, on by default.
Public endpoints are designed around modern TLS and HSTS controls. Service-to-service authentication is reviewed in deeper architecture sessions.
Tenant databases, object storage, and backups are scoped for KMS-backed encryption at rest, with implementation evidence shared in the security pack.
Enterprise deployments can be scoped for customer-managed key patterns and stricter tenant-specific encryption boundaries.
African primary residency with documented exceptions.
The Asiri control plane and tenant databases run in AWS Cape Town (af-south-1) by default. Customer-requested exceptions and processor locations are documented in the security pack.
When Regulatory Intelligence calls a foundation model, sensitive identifiers are tokenised where applicable. Provider region and retention settings are documented in the security pack.
Enterprise deployments can be scoped for Lagos Local Zone, MainOne, or Rack Centre residency based on customer requirements.
Current posture, with evidence boundaries.
ASIRI maintains an NDPA audit-readiness file and uses ASIRI internally to evidence its privacy operations. External DPCO/auditor validation remains pending.
ISMS control families are mapped for readiness review. ASIRI does not claim ISO/IEC 27001 certification until an accredited certification body issues a certificate.
Trust Services Criteria mapping is in preparation. ASIRI does not claim SOC 2 Type I or Type II until an independent CPA firm issues the applicable report.
Transfer posture is documented with safeguards, sub-processor review, and transfer-impact notes; customer counsel or auditor review remains pending where applicable.
ASIRI does not store, process, or transmit raw cardholder data in the application environment unless a future PCI scope assessment says otherwise.
Regulatory Intelligence outputs are source-linked, reviewable, and subject to human approval; they do not replace legal advice, DPCO review, auditor review, regulator decisions, or customer counsel.
The pack is evidence-backed readiness material for buyer, counsel, auditor, DPCO, and QSA review. It is not a certificate or external compliance outcome.
Least privilege, always.
Postgres RLS patterns isolate tenants at the database layer, so tenancy is enforced below the application boundary.
Granular role-based access control, mandatory MFA for privileged roles, and SCIM 2.0 user provisioning on the Enterprise tier.
Posture you can audit.
- SOC 2 Type II readiness — third-party audit roadmap in progress.
- NDPA readiness and DPCO operating workflows for Nigerian teams.
- ASIRI uses ASIRI internally to operate and evidence its NDPA program.
- Current posture: NDPA audit-readiness file maintained; external DPCO/auditor validation pending.
- Independent penetration-test summaries shared when available under NDA.
- Third-party penetration testing is part of the assurance roadmap; summaries are shared when available.
- Full audit log on every tenant — designed for export, immutability, and retention.
- Coordinated vulnerability disclosure published at /policy/vulnerability-disclosure.
- Sub-processor inventory published and version-controlled.