Security

How we protect your data

Our Approach

Security isn't a feature we bolt on at the end — it's part of how Soaly is built. We design every part of the platform around least privilege: each organization, team member, and attendee can only ever see and do what they're meant to. We review our own code for security issues regularly, and we keep our dependencies up to date.

Data Protection

All traffic between you and Soaly is encrypted in transit over HTTPS. Your data is stored in a managed Postgres database with row-level security enforced at the database layer, so one organization can never read or modify another organization's events, bookings, or attendees — even if the application code has a bug. Sensitive credentials and API keys are stored as environment secrets and are never committed to our codebase.

Payments

Soaly never stores raw card or mobile-money details. When an attendee pays, they're handled directly by our payment providers (Paystack and Hubtel), who are responsible for capturing and securing payment credentials. This means card data never touches our servers, and we inherit the providers' industry-standard payment security (PCI DSS) rather than handling that risk ourselves. Refunds are issued through the same providers and recorded against the original transaction.

Access Control

Access to your organization is governed by roles — owner, admin, and check-in staff — each with a clearly scoped set of permissions. Check-in staff, for example, can admit attendees at the door but cannot view financial reports or change settings. Every action that changes data is authorized on the server against your organization membership, not just hidden in the interface.

Infrastructure

Soaly runs on managed, reputable cloud infrastructure with automated backups and the ability to recover to a recent point in time. Application changes pass through automated checks before they reach production, and we monitor our dependencies for newly disclosed vulnerabilities so we can patch quickly.

Reporting a Vulnerability

We welcome reports from security researchers. If you believe you've found a vulnerability, please email us privately at graciouskuunibe@gmail.com rather than posting publicly. We aim to acknowledge reports within three business days and will keep you updated as we investigate. We will not pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us a reasonable window to fix the issue before disclosing it.