Security & Compliance ===================== Defence in Depth ---------------- Security controls are layered across the edge, transport, application, and data tiers. Edge Controls ~~~~~~~~~~~~~ - **Authentication.** JWT bearer tokens (HS256) for dashboard sessions, prefixed API keys for programmatic access, super-admin tokens for internal operations, and dedicated authentication for hosted payment pages. - **Rate limiting.** Per-tenant token-bucket rate limiting at the gateway, with a separate limiter for payment-link surfaces. - **Idempotency.** Redis-backed idempotency middleware on POST requests; keys propagate downstream as gRPC metadata so double submission cannot double spend. - **Network controls.** Allowed-host enforcement, explicit CORS policy, and IP whitelist middleware for partner API surfaces. - **Tenant IP controls.** Tenants can whitelist/blacklist IP addresses for their API access via the Identity service. Transport Security ~~~~~~~~~~~~~~~~~~ - TLS on all external traffic; TLS with pinned CA bundles (layered over native roots) for cross-environment gRPC. - Kafka TLS with certificate-based client authentication in sandbox and live. - Tenant and user context propagated as authenticated gRPC metadata and validated at each service (``x-tenant-id``, ``x-user-id``, ``x-session-id``). Application Controls ~~~~~~~~~~~~~~~~~~~~ - **Per-RPC authorization interceptors** in every gRPC service; a live-access gate in the Identity service controls production access per tenant. - **Dual authorization** for high-value operations: OTC orders and transfers require a second approver (approve/reject workflows with separate approval records). - **Webhook signing.** Outbound merchant webhooks are HMAC-SHA256 signed with per-tenant secrets; inbound provider requests use provider-specific signature schemes (HMAC for Dlocal, Duplo HMAC-SHA512, Yellow Card, Fincra, Yolat, Thunes with a secret webhook path). - **Custody signing.** Every mutating custody operation is user-action signed against Dfns with an ECDSA P-256 key (challenge–response), so wallet operations cannot be replayed or forged. - **Card data.** Card PANs and sensitive authentication data are never stored; card processing is delegated to tokenized provider services (Coinflow card-on-file tokens), with card-on-file velocity limits enforced. Data Protection ~~~~~~~~~~~~~~~ - Field-level AES encryption of sensitive columns with a dedicated sensitive-data key separate from the default encryption key (Identity, Onramp). - KYC document data encrypted at rest with a dedicated document encryption key (Risk). - All secrets held in GCP Secret Manager, namespaced per environment; Docker images are distroless/minimal with no embedded credentials. Auditability & Monitoring ------------------------- - Every service emits audit traces to the Audit service (``audit.events.log``); response logs and session-level request logging capture full request context. - Entity-level audit-log tables in the Billing service (fees, invoices, subscriptions) and API-key audit logs in the Identity service. - Kafka-driven transaction monitoring in the Risk service evaluates every transfer (``transactions.monitoring.initiate`` → ``passed`` / ``failed``). - Structured logging platform-wide (zap / zerolog / tracing) with health endpoints on every service; operational alerts to Slack. Compliance Posture ------------------ - **KYC / KYB.** Customer and business verification is operated through Sumsub (identity verification, document collection, liveness), with verification state gating feature activation across accounts and cards. - **Feature gating.** The Risk service enforces feature eligibility: product capabilities (accounts, cards) activate only after the required verification level is met. - **Sanctions / monitoring.** Transaction monitoring rules run on every money-movement event before settlement proceeds. - **PCI scope minimisation.** Gravv does not store PANs; card flows run through PCI-DSS-compliant partner processors with tokenization. - **Partner-delegated regulation.** Banking, card issuing, and payout execution are performed by regulated partners in each jurisdiction; Gravv maintains reconciliation and audit trails against partner records.