LiveSBBS is in soft launch — invited sellers getting free Trust Badge until caps are lifted.Get on the list →
GSG
Products & ServicesTransaction HubTrack OrderFee CalculatorReviews
Trust

Security at SBBS

Effective 20 April 2026 · Currently marked DRAFT pending legal review.

SBBS treats safety as the product. These are the technical and operational guardrails we run.

Funds

  • Funds always sit with a licensed PSP (Moolre), never in a personal account, never with SBBS staff.
  • Every payout requires a human approver click before money leaves the platform.
  • High-value payouts trigger a two-approver requirement.

Access control

  • Role-based access (buyer, seller, rider, approver, admin, superadmin).
  • Admin impersonation requires a written reason and is fully audit-logged.
  • The service-role database key is only ever used inside server actions, never in client code.

Data

  • Postgres at rest with row-level security; private buckets for KYC and dispute evidence.
  • SHA-256 hashes recorded for every uploaded evidence file.
  • Phone numbers redacted on every public surface.

Webhooks

  • Moolre webhooks verified with HMAC-SHA256 signature and idempotency keys.
  • Idempotency keys recorded so a replayed webhook never causes a double action.

Compliance

  • Bank of Ghana PSP due-diligence letter on file.
  • Data Protection Commission registration in progress.
  • Annual penetration test by an external firm.

Reporting issues

If you discover a vulnerability, please email security@sbbs.gh. We acknowledge within 24 hours.