How we protect your organization's data. Security is foundational to everything we build.
Encryption at rest: All stored data, including databases, file storage, and backups, is encrypted using AES-256 encryption.
Encryption in transit: All communications between your browser and our servers use TLS 1.3. API communications are encrypted end-to-end.
Key management: Encryption keys are managed through a dedicated key management service with automatic rotation and strict access controls.
Data isolation: Each organization's data is logically isolated within our infrastructure. Cross-tenant data access is architecturally prevented.
Authentication: We support secure password policies, multi-factor authentication (MFA), and session management with configurable timeout periods.
Authorization: Role-based access control (RBAC) ensures users can only access data and features appropriate to their role within the organization.
Input validation: All user inputs are validated and sanitized to prevent injection attacks, cross-site scripting (XSS), and other common vulnerabilities.
Dependency management: We continuously monitor and update third-party dependencies to address known vulnerabilities.
Cloud hosting: Praxis is hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification and ISO 27001 compliance.
Network security: Our infrastructure is protected by firewalls, intrusion detection systems, and DDoS mitigation. Network access is restricted to the minimum necessary for operation.
Redundancy: Critical systems are deployed across multiple availability zones with automatic failover to ensure high availability.
Backups: Automated daily backups with point-in-time recovery. Backups are encrypted and stored in geographically separate locations from primary data.
Continuous monitoring: Real-time monitoring of infrastructure, application performance, and security events. Automated alerts for anomalous behavior.
Incident response plan: We maintain a documented incident response plan that includes identification, containment, eradication, recovery, and post-incident review procedures.
Breach notification: In the event of a data breach, we will notify affected organizations and relevant regulatory authorities within the timeframes required by applicable law, including 72 hours under NDPR.
Security team: A dedicated security function is responsible for monitoring, responding to, and continuously improving our security posture.
Employee access: Access to production systems is limited to authorized personnel on a need-to-know basis. All access is logged and regularly reviewed.
Background checks: Team members with access to sensitive systems undergo appropriate background verification.
Security training: All team members receive regular security awareness training covering topics such as phishing, social engineering, and secure development practices.
Vendor management: Third-party service providers are evaluated for their security practices before engagement and are bound by data processing agreements.
Praxis is designed to help organizations meet their regulatory obligations across African jurisdictions:
NDPR (Nigeria): Full compliance with the Nigeria Data Protection Regulation, including data processing principles, consent management, and data subject rights.
Kenya DPA: Compliance with the Kenya Data Protection Act 2019 and its subsidiary legislation.
Ghana DPA: Compliance with the Ghana Data Protection Act 2012.
POPIA (South Africa): Designed with the Protection of Personal Information Act requirements in mind for future market expansion.
We are pursuing SOC 2 Type II certification and will update this page as certifications are achieved.
We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to security@praxis.hr.
Scope: Any vulnerability in the Praxis platform, API, or infrastructure that could compromise user data or system integrity.
Guidelines: Provide sufficient detail to reproduce the issue. Do not access, modify, or delete data belonging to other users. Do not publicly disclose the vulnerability before we have addressed it.
Response: We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days.
For security-related inquiries or to report a vulnerability:
Email: security@praxis.hr
Address: Praxis (Tegence Ltd), Lagos, Nigeria