Security
Built like a bank. Trusted by advisors.
Your client data is some of the most sensitive information you handle. KYC Pro is engineered from the ground up to protect it.
A
Independently rated
Grade A on SecurityHeaders.com
Scanned by Snyk's public security headers analyser. KYC Pro implements all six recommended HTTP security headers, including a strict Content Security Policy and HSTS preload.
How we protect you
Every security measure, explained.
No jargon. No vague claims.
Here's the complete list of protections built into KYC Pro - and a plain-English explanation of how each one works.
Data Isolation
✓
Row-Level Security on every database tableEvery table that holds client data has a rule attached to it that says "this row can only be read or edited by the advisor who owns it." This rule runs on the database itself, not in the app - meaning even if a bug existed in the app code, the database would still refuse to hand over another advisor's data.
✓
Per-advisor data scopingEvery client, note, document, follow-up, FICA record, needs analysis, ROA, and audit log is tagged with the advisor who owns it. There is no shared pool of data - each advisor effectively has their own private database.
✓
Private provider contact listsEven your provider/contact lists are isolated. You can edit, delete, or add to your own list without affecting any other advisor's contacts.
Encryption & Storage
✓
Encryption in transit (HTTPS everywhere)Every page request, form submission, and API call between your browser and KYC Pro is encrypted using TLS 1.3 - the same encryption banks use. An attacker watching the network sees only scrambled data.
✓
Encryption at restAll data stored in the database and file storage is encrypted on disk. If someone physically accessed the data centre, they'd see encrypted bytes, not your client list.
✓
HSTS preloadBrowsers are instructed to never connect to KYC Pro over insecure HTTP. Even if someone tried to trick you onto a fake unencrypted version of the site, your browser refuses.
✓
Master keys stored as environment secretsThe "master keys" that grant full database access are stored in Vercel's secret environment vault. They never appear in our code, never reach your browser, and never end up in our public GitHub repository.
Account Security
✓
Two-Factor Authentication (2FA)Optional 2FA on every advisor account using an authenticator app (Google Authenticator, Authy, etc.). When enabled, even if someone steals your password they still can't log in without your phone.
✓
Secure password resetPassword resets are sent only to your verified email and expire quickly. Reset links are one-use only and cannot be re-played.
✓
2FA on the platform itselfThe KYC Pro codebase, GitHub repository, deployment pipeline (Vercel), and database (Supabase) are all protected by mandatory 2FA. This means the platform itself cannot be tampered with by an attacker who phishes a single password.
✓
No password storage in plain textPasswords are hashed using bcrypt before being stored. We never see your password - and even our database administrators can't read it.
Client-Facing Links
✓
64-character cryptographically secure tokensEvery form, ROA, FICA request, and calculator link contains a unique 64-character token generated by the operating system's cryptographic random number generator. The number of possible combinations is so astronomically large (more than the number of atoms in the observable universe) that guessing a valid one is mathematically impossible.
✓
One-time tokensOnce a form is submitted or a document is signed, the token is marked complete and cannot be reused. There is no risk of an old link being shared and reopening sensitive data.
✓
Single-client scopingEach token is tied to one specific client and one specific document. Even if a token were somehow guessed, it could only be used to open that one document - not access any other client.
Audit Trail & Compliance
✓
Tamper-proof audit logEvery sensitive action (sending forms, viewing data, signing documents, exporting data) is logged with timestamp, advisor, IP address, and details. The log is append-only - entries cannot be edited or deleted, even by us.
✓
Electronic signatures with full audit trailEvery signed document records the client's IP address, device type, browser fingerprint, and exact timestamp. This audit trail is embedded in the signed PDF and cannot be altered after the fact - meeting the requirements of the Electronic Communications and Transactions Act.
✓
Document version lockingOnce a client signs a document, the document is locked. No one - not the client, not you, not us - can change the contents of a signed document. If amendments are needed, a new version is issued and signed.
Application Security
✓
Grade A on SecurityHeaders.comIndependently scanned and rated. KYC Pro implements all six recommended HTTP security headers - Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
✓
Content Security Policy (CSP)A strict policy that tells your browser exactly which scripts and resources are allowed to run on KYC Pro pages. This blocks the most common type of website attack - cross-site scripting - at the browser level.
✓
Clickjacking protectionKYC Pro cannot be embedded inside another website's iframe. This stops attackers from disguising malicious sites with a hidden KYC Pro login layered underneath.
✓
MIME type sniffing disabledBrowsers are forced to treat files exactly as their declared type. This prevents attackers from disguising executable code as innocent-looking images.
✓
Camera, microphone, and geolocation blockedKYC Pro never requests access to your camera, microphone, or location. The Permissions-Policy header explicitly blocks these even if they were ever requested by accident.
✓
React framework with auto-escapingKYC Pro is built on React, which automatically escapes any user input before rendering it to the page. This prevents stored cross-site scripting attacks where someone might paste malicious code into a form field hoping to attack the next viewer.
File Upload Security
✓
File size limitsAll uploads (FICA documents, client imports, signature images) are capped at safe sizes. This prevents attackers from crashing the platform with massive files.
✓
File type validationEvery uploaded file is checked against an allow-list of expected types. PDFs, JPEGs, PNGs, Excel and CSV files are accepted - anything else is rejected.
✓
Magic-byte verificationBeyond just checking the file extension, KYC Pro inspects the actual binary contents of uploaded files to confirm they're what they claim to be. Renaming a virus to "client_list.xlsx" won't fool the system.
✓
Row caps on importsExcel and CSV imports are capped at 10,000 rows per file. This protects the platform from memory-exhaustion attacks while still being far more than any practice would import in one go.
✓
Isolated file storageUploaded files are stored in object storage with signed URLs. Files are never directly accessible by URL - every download requires a freshly-generated, time-limited link tied to the requesting advisor.
Infrastructure & Hosting
✓
Hosted on Vercel and SupabaseVercel hosts the application; Supabase hosts the database. Both are enterprise-grade platforms used by thousands of businesses worldwide, with their own teams of security engineers maintaining hardware, network, and operating system security around the clock.
✓
Automatic security patchingOperating systems, runtime environments, and underlying infrastructure are patched automatically by Vercel and Supabase as soon as security updates are released - often within hours of disclosure.
✓
Continuous dependency scanningEvery third-party code library used in KYC Pro is automatically scanned by GitHub for known vulnerabilities. Issues are flagged immediately so they can be fixed.
✓
Automated backupsThe database is backed up automatically and continuously by Supabase, with point-in-time recovery available. Your data cannot be lost to a single hardware failure.
✓
DDoS protectionVercel's global edge network absorbs and filters traffic before it reaches the application - making distributed denial-of-service attacks (where attackers try to flood a site with traffic to take it offline) extremely difficult to mount.
Privacy & Data Rights
✓
POPIA complianceKYC Pro is designed to help you meet your obligations under the Protection of Personal Information Act. Client consent is captured at form submission, data is processed only for the purpose you specify, and your clients have the right to request access or deletion at any time.
✓
Full data exportExport your complete client list, all needs analyses, and all documents to Excel/CSV with one click - anytime, no fees, no friction.
✓
Full data deletionCancel your account and request full deletion. Your data is purged from active systems and confirmed in writing.
✓
No data selling, everKYC Pro is funded entirely by your monthly subscription. We do not sell, rent, share, or use your client data for marketing or any other purpose. Period.
✓
No advertisingKYC Pro is ad-free and will remain so. Your clients' information is never used to build advertising profiles.
✓
No third-party trackingKYC Pro does not embed Google Analytics, Facebook Pixel, or any other behavioural tracking on advisor-facing pages. Your activity inside the CRM is yours alone.
Application security
Hardened against the modern web.
Every page served by KYC Pro carries the security headers that browsers use to defend against cross-site scripting, clickjacking, MIME confusion, and forced-HTTP downgrade attacks.
✓Content-Security-Policy
✓Strict-Transport-Security
✓X-Frame-Options
✓X-Content-Type-Options
✓Referrer-Policy
✓Permissions-Policy
Compliance
Built for South African law.
Compliance is the floor, not the ceiling.
KYC Pro was designed specifically around the regulatory environment South African advisors operate in - not retrofitted from a generic CRM.
POPIA
Protection of Personal Information Act
You can export or delete your data at any time. Client consent is captured before any information is processed. Data is only ever used to deliver the service to you.
FAIS
Financial Advisory and Intermediary Services Act
Records of Advice, needs analyses and audit trails are designed to meet FAIS record-keeping and disclosure requirements out of the box.
ECT Act
Electronic Communications and Transactions Act
Electronic signatures captured on the platform meet the legal requirements for advanced electronic signatures, with full audit logs preserved for the lifetime of the document.
Your data, your rights
You own your data. Always.
✓
Export anytimeDownload your full client list as Excel or CSV with one click. No fees, no friction.
✓
Delete anytimeCancel your subscription and request full deletion. Your data is removed from active systems.
✓
No data sellingWe do not sell, rent, or share your data with third parties for marketing - ever.
✓
No advertisingKYC Pro is funded by your subscription. We don't need ads, and we don't profile your clients.
Responsible disclosure. If you believe you've found a security issue in KYC Pro, please get in touch via the contact page with the details. We treat all reports seriously and will respond within one business day.
Run your practice with confidence.
Bank-grade security. Built for South African advisors. R599.99/month, cancel anytime.