SECURITY
Security at Every Layer.
From envelope encryption to tamper-evident hash chains, every component of the Sankofa platform is designed with security as a first principle.
Encryption
Encryption at Rest and In Transit
Envelope Encryption
KMS-derived keys with AES-GCM-256 protect every record. Keys are rotated per shard and never stored alongside the data they protect.
ECDSA Receipt Signing
Every transaction produces a cryptographically signed receipt. Tamper with any record and the signature breaks — immediately detectable.
In-Transit Protection
TLS 1.3 for all API endpoints. Mutual TLS available for service-to-service communication within your deployment.
Access Control
Granular Access Control
JWT Authentication
Short-lived, signed JSON Web Tokens for all API access. Tokens are scoped to specific resources and operations.
RBAC via Casbin
Role-based access control enforced through Casbin policy engine. Define precise permissions for every team and integration.
Mutual TLS
Client certificate authentication for service-to-service calls. Zero implicit trust between internal components.
Audit Trail
Tamper-Evident Audit Trail
SHA-256 Hash Chain
Each ledger entry is hashed and chained to its predecessor. Any modification to historical data invalidates the entire chain forward.
Append-Only Storage
The ledger is immutable by design. No record can be deleted or modified — only new entries can be appended.
Reconciliation
Automated reconciliation jobs continuously verify hash chain integrity and flag any anomalies for immediate investigation.
Security questions?
Our security team is available to walk through our controls, share documentation, and answer technical questions.
Contact Sales