Security

Data encryption

All data transmitted between your browser or mobile app and our servers is encrypted using TLS 1.2 or higher. Data stored in our databases is encrypted at rest using AES-256 encryption.

Sensitive fields — including financial and health-related data — are encrypted at the application layer in addition to database-level encryption.

Authentication and access control

All platform accounts are protected by multi-factor authentication (MFA), which is mandatory for all Administrator accounts. Employee accounts are strongly encouraged to enable MFA.

We apply role-based access control (RBAC) across the platform. Administrators only see data for their organisation. Individual employees can only access their own benefit information.

All access to production systems by RibiBenefits staff is logged, reviewed, and subject to the principle of least privilege.

Infrastructure security

The RibiBenefits platform is hosted on enterprise-grade cloud infrastructure with ISO 27001 certification. Our infrastructure providers maintain physical security controls, power redundancy, and environmental controls at their data centres.

We use separate environments for development, staging, and production. Production data is never used in development or testing environments.

Application security

Our development and security practices include:

• Regular penetration testing by independent third-party security firms
• Static and dynamic application security testing (SAST/DAST) in our CI/CD pipeline
• Dependency vulnerability scanning for all third-party libraries
• Code review requirements for all production changes
• OWASP Top 10 compliance checks as part of our development process
• Regular security training for all engineering and operations staff

Mental wellness confidentiality

We apply additional controls specifically to mental wellness benefit data. Session booking information is stored separately from other benefit data with stricter access controls. The content of therapy sessions is never collected, transmitted, or stored by RibiBenefits.

Employer-facing reports for mental wellness benefits show only aggregate usage counts — never individual session details, dates for specific employees, or any clinical information.

Incident response

We maintain a documented incident response plan that is tested annually. In the event of a security incident that affects personal data, we will notify affected Employers within 72 hours of becoming aware of the incident, in accordance with applicable data protection law.

We will provide affected Employers with sufficient information to meet their own notification obligations to employees and regulators.

Third-party partner security

Benefit delivery partners (gyms, restaurants, transit providers, healthcare providers) receive only the minimum data necessary to deliver the specific benefit requested. We conduct due diligence on partner data handling practices before onboarding and include data processing requirements in all partner agreements.

Compliance

RibiBenefits operates in compliance with applicable data protection laws across our African markets, including the Nigeria Data Protection Act 2023 (NDPA), the Kenya Data Protection Act 2019, and the South Africa Protection of Personal Information Act (POPIA).

We work with local legal counsel in each market to ensure compliance with market-specific requirements as they evolve.

Responsible disclosure

If you believe you have discovered a security vulnerability in the RibiBenefits platform, please report it to us at hello@ribirewards.com with the subject line 'Security Disclosure'. We commit to acknowledging your report within 48 hours and keeping you informed of our progress.

We ask that you do not publicly disclose vulnerabilities before we have had a reasonable opportunity to address them, and that you do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability.