Naya Security Policy — Your Money on WhatsApp

1. Overview

Usenaya Ltd is committed to maintaining the highest standards of security to protect users' funds, personal data, and financial information. This Security Policy describes the technical and organisational measures we employ across the Naya platform.

Naya operates on CBN-licensed banking infrastructure and WhatsApp Business API, both of which carry their own security certifications. Our security posture is designed to meet and exceed CBN Information Technology Standards and the requirements of the Nigeria Data Protection Act (NDPA) 2023.

2. Infrastructure Security

2.1 Regulated Banking Rails

All naira transactions are processed through CBN-licensed payment infrastructure using NIP/NIBSS rails — the same regulated payment backbone used by Nigerian banks. User funds at no time sit with Naya directly; they remain within licensed and regulated banking partner infrastructure.

2.2 Encryption

All data in transit between users, WhatsApp, and Naya's backend is encrypted using TLS 1.2 or higher
All data at rest is encrypted using AES-256 encryption
WhatsApp's end-to-end encryption protects messages between users and the Naya assistant
Sensitive financial data is stored in encrypted form and access-controlled

2.3 Cloud and Application Security

Naya's backend infrastructure is hosted on ISO 27001-certified cloud infrastructure
Network segmentation separates user data, transaction processing, and AI model systems
Web Application Firewalls (WAF) and DDoS protection are deployed across all endpoints
Access to production systems is restricted by role, with multi-factor authentication required for all administrative access

3. WhatsApp Security

Naya operates entirely through the WhatsApp Business API, which provides end-to-end encryption for all messages. However, users should be aware that:

Anyone with access to your WhatsApp account can initiate Naya transactions
Naya will always display a confirmation step before any money moves
Naya will never ask for your WhatsApp password, OTP, or banking PIN outside the official confirmation flow
Be cautious of messages claiming to be from Naya from any number other than our official WhatsApp number

4. Transaction Security

4.1 Explicit Confirmation

Every financial transaction on Naya requires explicit user confirmation before it is processed. The confirmation step displays the recipient details, exact amount, all applicable fees, and expected delivery time. No transaction is initiated based on a message alone.

4.2 Real-Time Fraud Monitoring

Naya's fraud detection system monitors all transactions in real time for:

Unusual transaction volumes or frequencies relative to the user's historical behaviour
Transfers to accounts flagged in our fraud intelligence network
Structuring behaviour or patterns consistent with financial crime
Account takeover indicators including unusual access times or locations

High-risk transactions are automatically flagged for review and may be delayed pending clearance.

4.3 Transaction Limits

Transaction limits are applied in accordance with CBN guidelines and the user's KYC tier. These limits protect users from large-scale losses in the event of unauthorised access and ensure compliance with regulatory requirements.

5. Identity and Access Management

Naya does not create separate passwords or PINs — your WhatsApp account serves as your primary authentication factor
Sensitive actions such as high-value transfers trigger additional in-chat verification steps
Account access is tied to your registered WhatsApp number; any number change requires re-verification
Naya's internal staff access to user data is role-based, audited, and subject to strict data minimisation principles

6. KYC Document Security

Identity documents submitted during KYC are:

Encrypted in transit and at rest
Accessible only to Naya's compliance team under strict access controls
Retained only for the period required by Nigerian AML/CFT regulations
Never shared with third parties except as required for identity verification or regulatory compliance

7. Incident Response

In the event of a security incident affecting user data or funds, Naya will contain the incident and assess its scope within 24 hours of detection, notify affected users via WhatsApp within 72 hours where required by the NDPA, report to the Nigeria Data Protection Commission and other relevant regulators as required by law, and conduct a post-incident review with remediation measures.

To report a suspected security incident, contact support@usenaya.com.

8. Third-Party Security

Naya works with third-party partners including banking infrastructure providers, identity verification services, and cloud hosting providers. All third-party partners are:

Subject to due diligence before engagement
Required to maintain security standards consistent with or exceeding Naya's own standards
Bound by data processing agreements under the NDPA 2023
Reviewed periodically to ensure ongoing compliance

9. User Responsibilities

Security is a shared responsibility. To protect your Naya account:

Keep your WhatsApp account secure with a strong PIN and two-step verification enabled
Never share your WhatsApp OTP with anyone, including anyone claiming to be from Naya
Do not use Naya on a shared or compromised device
Review all transaction confirmation details carefully before approving
Report any suspicious activity or unexpected transactions to support@usenaya.com immediately
Be alert to phishing — Naya will never ask for your banking credentials, card numbers, or OTPs

10. Regulatory Compliance

Naya's security programme is designed to comply with:

CBN Information Technology Standards for Financial Institutions
Nigeria Data Protection Act (NDPA) 2023
ISO/IEC 27001 information security standards
PCI-DSS requirements applicable to payment processing
WhatsApp Business API security requirements

11. Contact — Security

Security incidents and vulnerability disclosures: support@usenaya.com

How Naya protects your funds, data, and transactions.