Security

Your money is safe.
Here's exactly how.

Security isn't a feature we added after the fact. Every layer of Aza — from the database to the phone screen — was designed with it in mind.

Bank of Ghana
E-money licence (pending)
NIA
Identity verification
GhIPSS
Interoperable payments
AES-256
NIST-certified encryption
TLS 1.3
Transport security
Signal Protocol
Chat encryption

Six layers of protection.

AES-256 encryption at rest

Every wallet balance, transaction record, and personal detail is encrypted with AES-256 before it touches disk. No plaintext data is ever stored.

TLS 1.3 in transit

All API traffic and WebSocket connections use TLS 1.3. Weak cipher suites and legacy TLS versions are explicitly rejected at the load balancer.

End-to-end encrypted chat

Aza messages use the Signal Protocol — the same encryption used by Signal and WhatsApp. Keys are generated on device. We cannot read your conversations.

Biometric & TOTP authentication

Log in with Face ID, fingerprint, or a time-based one-time password. Account actions like transfers require a 4-digit passcode confirmed at the point of action.

Bank of Ghana–compliant KYC

Identity verification uses Ghana Card or passport via the National Identification Authority (NIA). Tiered limits (Tier 1–3) follow BoG e-money regulations.

Anomaly detection & holds

High-risk transfers are intercepted automatically and held for compliance review. Rules are configurable and backed by transaction-level audit logs.

Encrypted chat backup

Move your chat history to a new device or back it up to the cloud — both stay end-to-end encrypted, unlocked only with a recovery code only you hold.

Found a vulnerability?

We take security reports seriously. If you discover a potential vulnerability in Aza, please contact us directly before public disclosure. We aim to respond within 24 hours.

security@aza.systems

What we never do.

  • Sell or share your personal data
  • Store your passcode or biometric data on our servers
  • Read your encrypted chat messages
  • Process transactions without your explicit confirmation