Data residency
- Database: PostgreSQL CNPG cluster, replicated across hosts in Morocco and the EU.
- Object storage: Cloudflare R2 (EU region for object storage, edge cache global).
- Backups: double pipeline — incremental WAL streaming to B2 (RPO ≈ 5 min) + daily logical pg_dump to a separate S3‑compatible store (RPO 24 h).
- Audit log: retained 7 years in WORM (Cloudflare R2 Object Lock).
Encryption
| Layer | Mechanism |
|---|---|
| Transit (your bank ↔ SafarAPI) | TLS 1.3 only, HSTS preload |
| API key secrets at rest | Argon2id (memory cost 64 MiB, iterations 3) |
| Database backups | AES‑256 server‑side encryption |
| Sealed Secrets (K3s) | Bitnami Sealed Secrets, controller key rotation annually |
Authentication
| Surface | Method |
|---|---|
api.safarapi.com (your machine‑to‑machine traffic) | Bearer API key + HMAC SHA256 on writes |
console.safarapi.com (your team’s dashboard) | Magic link → Keycloak realm safarapi-partners, MFA enforced |
Conformity
| Standard | Status |
|---|---|
| RGPD / Loi marocaine 09‑08 | Signed — available on request |
| Bank Al‑Maghrib externalisation requirements | Available — documentation pack under NDA |
| ISO 27001 | In preparation — target Q4 2026 |
| SOC 2 Type I | In preparation — target Q4 2026 |
| PCI DSS | Not applicable — SafarAPI never handles card data; your bank’s checkout owns PCI scope |
SLA — contractual commitments
| Metric | Commitment |
|---|---|
| API uptime monthly | 99.5 % (= max 3 h 17 min downtime / month) |
| Latency p95 (reads) | < 500 ms |
| Latency p95 (writes) | < 1 s |
| Latency p99 | < 2 s |
| RTO major incident | 4 hours |
| RPO | 15 minutes |
| Critical incident response time | < 1 hour |
| High‑severity incident response time | < 4 hours |
| Normal severity response time | < 1 business day |
Incident handling
Active incidents will be published onstatus.safarapi.com (being provisioned), with per-component email/webhook subscription. Until then, approved partners are notified directly per the SLA.
For security incidents specifically (data breach, suspected compromise), SafarAPI follows a 72‑hour notification SLA aligned with RGPD article 33.
Pen testing
SafarAPI is pen‑tested annually by an independent cabinet. The pen‑test summary is available under NDA on request.Vulnerability disclosure
Found something? Email security@safarapi.com — we acknowledge within 24 hours and follow responsible disclosure practices.Common compliance questions
Can SafarAPI sign our Data Processing Agreement?
Can SafarAPI sign our Data Processing Agreement?
Yes. Our standard DPA covers Morocco (Loi 09‑08) and EU (RGPD) requirements. We can also accept your DPA template after legal review.
Where is customer data stored?
Where is customer data stored?
All data (bookings, audit log) lives in our CNPG cluster spread across Morocco and EU hosts. Backups in Cloudflare B2 (EU region). No data transits outside this perimeter.
Can we audit the audit log?
Can we audit the audit log?
Yes. The full audit log (every API request) is exportable from your console (CSV or JSONL). For compliance audits, your team can also request a specific period extract with cryptographic checksum.
What happens if our API key is compromised?
What happens if our API key is compromised?
Revoke the key from your console (instant). All subsequent requests with that key return 401. We recommend rotating keys every 90 days as a baseline; mandatory after any suspected exposure.
Do you offer IP allowlisting?
Do you offer IP allowlisting?
Yes — configurable per partner from the console. Requests from non‑allowlisted IPs return 403 with an audit log entry. We strongly recommend enabling this for production keys.