Security
We take the security of your business data seriously.
Here's what we do to protect the data of merchants and their customers on the Gravote platform.
🔒
Encryption in transit
All data transmitted between your browser and Gravote is encrypted using TLS 1.2 or higher. WhatsApp messages processed via the Cloud API are encrypted by Meta's infrastructure.
🗄️
Encryption at rest
Merchant data stored in our database is encrypted at rest using AES-256. Payment data is handled exclusively by Stripe and Paystack. We never store card numbers.
🛡️
Access controls
Production systems are access-controlled by role. No engineer has standing access to production data. Access is time-limited and audited. API keys rotate on a schedule.
🔐
Authentication
Gravote supports two-factor authentication (2FA) for all accounts. Sessions are invalidated on password change. We use secure, short-lived JWTs for API access.
📋
Regular audits
We conduct regular internal security reviews and intend to commission third-party penetration testing as the platform scales. Known vulnerabilities are patched within 48 hours.
🏗️
Infrastructure security
Gravote runs on Supabase (hosted PostgreSQL) with row-level security enforced at the database level. Our web infrastructure is hosted on Vercel with DDoS protection.
Responsible disclosure
We welcome security researchers who responsibly disclose vulnerabilities in our platform. If you find a security issue, please email us before publicly disclosing it. We commit to:
- Acknowledge your report within 24 hours
- Keep you updated on our progress
- Not pursue legal action for good-faith research
- Credit you when the fix is deployed (if you'd like)
Report a vulnerability
Please encrypt sensitive reports using our PGP key or report directly to:
security@gravote.comResponse within 24 hours. Do not disclose publicly before we've had a chance to patch.