Security & data sovereignty
Customer data stays where the law and the customer expect it.
POPIA, the Zimbabwe Data Protection Act, and GDPR set the floor. Sovereignty, encryption, accountable operations, and dignity defaults are how we ship.
-
Data sovereignty by default
Customer data is held on regional infrastructure where the law expects it. POPIA (South Africa), the Zimbabwe Data Protection Act, and GDPR set the floor — not the ceiling. Region of residence is a setting, not a sales upsell.
-
Encryption end-to-end
TLS 1.3 in transit, AES-256 at rest, customer-managed key options on Enterprise. Audit logs are append-only and tamper-evident. Backups are encrypted and tested quarterly.
-
Operated by a small, accountable team
Access is scoped, named, and time-bound. Production changes go through code review and on-call rotation. We publish post-mortems for incidents above an SLO threshold so customers can read what actually happened.
-
Dignity defaults
No dark patterns, no attention-resale, no biometric collection without explicit consent. Verification ladders exist to give people more capability — not to gate basic dignity behind a queue at a government office.
Reporting a security issue
If you believe you have found a vulnerability in any Nyuchi product or surface, email security@nyuchi.com with reproduction steps. We acknowledge within one business day, will coordinate disclosure, and credit you in our public security advisories if you'd like.