Security & Compliance

Defence in Depth

Security controls are layered across the edge, transport, application, and data tiers.

Edge Controls

  • Authentication. JWT bearer tokens (HS256) for dashboard sessions, prefixed API keys for programmatic access, super-admin tokens for internal operations, and dedicated authentication for hosted payment pages.

  • Rate limiting. Per-tenant token-bucket rate limiting at the gateway, with a separate limiter for payment-link surfaces.

  • Idempotency. Redis-backed idempotency middleware on POST requests; keys propagate downstream as gRPC metadata so double submission cannot double spend.

  • Network controls. Allowed-host enforcement, explicit CORS policy, and IP whitelist middleware for partner API surfaces.

  • Tenant IP controls. Tenants can whitelist/blacklist IP addresses for their API access via the Identity service.

Transport Security

  • TLS on all external traffic; TLS with pinned CA bundles (layered over native roots) for cross-environment gRPC.

  • Kafka TLS with certificate-based client authentication in sandbox and live.

  • Tenant and user context propagated as authenticated gRPC metadata and validated at each service (x-tenant-id, x-user-id, x-session-id).

Application Controls

  • Per-RPC authorization interceptors in every gRPC service; a live-access gate in the Identity service controls production access per tenant.

  • Dual authorization for high-value operations: OTC orders and transfers require a second approver (approve/reject workflows with separate approval records).

  • Webhook signing. Outbound merchant webhooks are HMAC-SHA256 signed with per-tenant secrets; inbound provider requests use provider-specific signature schemes (HMAC for Dlocal, Duplo HMAC-SHA512, Yellow Card, Fincra, Yolat, Thunes with a secret webhook path).

  • Custody signing. Every mutating custody operation is user-action signed against Dfns with an ECDSA P-256 key (challenge–response), so wallet operations cannot be replayed or forged.

  • Card data. Card PANs and sensitive authentication data are never stored; card processing is delegated to tokenized provider services (Coinflow card-on-file tokens), with card-on-file velocity limits enforced.

Data Protection

  • Field-level AES encryption of sensitive columns with a dedicated sensitive-data key separate from the default encryption key (Identity, Onramp).

  • KYC document data encrypted at rest with a dedicated document encryption key (Risk).

  • All secrets held in GCP Secret Manager, namespaced per environment; Docker images are distroless/minimal with no embedded credentials.

Auditability & Monitoring

  • Every service emits audit traces to the Audit service (audit.events.log); response logs and session-level request logging capture full request context.

  • Entity-level audit-log tables in the Billing service (fees, invoices, subscriptions) and API-key audit logs in the Identity service.

  • Kafka-driven transaction monitoring in the Risk service evaluates every transfer (transactions.monitoring.initiatepassed / failed).

  • Structured logging platform-wide (zap / zerolog / tracing) with health endpoints on every service; operational alerts to Slack.

Compliance Posture

  • KYC / KYB. Customer and business verification is operated through Sumsub (identity verification, document collection, liveness), with verification state gating feature activation across accounts and cards.

  • Feature gating. The Risk service enforces feature eligibility: product capabilities (accounts, cards) activate only after the required verification level is met.

  • Sanctions / monitoring. Transaction monitoring rules run on every money-movement event before settlement proceeds.

  • PCI scope minimisation. Gravv does not store PANs; card flows run through PCI-DSS-compliant partner processors with tokenization.

  • Partner-delegated regulation. Banking, card issuing, and payout execution are performed by regulated partners in each jurisdiction; Gravv maintains reconciliation and audit trails against partner records.