Security

Your business, our responsibility.

How we protect the data sellers, buyers, and lenders put through Adwuma — plus how to tell us when something looks wrong.

What we do

Encryption everywhere

TLS 1.2+ on every endpoint. AES-256-GCM for at-rest secrets. Database backups encrypted before they leave the host.

Least-privilege auth

Argon2id-hashed passwords, short-lived JWTs, role-based admin guards. No shared logins. Team seats have per-permission grants.

Sensible defaults

Strict CSP, HSTS preload-eligible, X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy strict-origin.

Audited dependencies

Dependabot wired to CI. Critical / high vulnerabilities patched within 7 days. Production builds run on locked lockfiles.

Verified moderation

Every listing passes through AI moderation + per-vertical rule sets. Counterfeit jargon, MLM patterns, and stolen-goods signals auto-flag.

Data portability

Self-service data export at /data-export. One-click account deletion at /data-delete (with 14-day undo window).

Responsible disclosure

If you believe you’ve found a security vulnerability in Adwuma, please tell us before disclosing it publicly. We take every report seriously.

How to report: Email security@adwumagh.com with a clear description, reproduction steps, and (if possible) a proof-of-concept.

What we promise:

Acknowledgement within 48 hours.
An initial triage within 5 business days.
No legal action against good-faith researchers.
Public credit (your choice) once the issue is fixed.

Out of scope: denial-of-service, social engineering, physical attacks, spam, and findings that require already-compromised accounts. Common false-positives (missing security headers on static pages, version disclosure) are also out of scope.

Want to know what data we hold and why? See our privacy policy or read our terms of service.