Skip to main content
SafarAPI is built for regulated financial institutions. This page covers the security and compliance posture in the level of detail your internal audit and legal teams expect.

Data residency

  • Database: PostgreSQL CNPG cluster, replicated across hosts in Morocco and the EU.
  • Object storage: Cloudflare R2 (EU region for object storage, edge cache global).
  • Backups: double pipeline — incremental WAL streaming to B2 (RPO ≈ 5 min) + daily logical pg_dump to a separate S3‑compatible store (RPO 24 h).
  • Audit log: retained 7 years in WORM (Cloudflare R2 Object Lock).

Encryption

LayerMechanism
Transit (your bank ↔ SafarAPI)TLS 1.3 only, HSTS preload
API key secrets at restArgon2id (memory cost 64 MiB, iterations 3)
Database backupsAES‑256 server‑side encryption
Sealed Secrets (K3s)Bitnami Sealed Secrets, controller key rotation annually

Authentication

SurfaceMethod
api.safarapi.com (your machine‑to‑machine traffic)Bearer API key + HMAC SHA256 on writes
console.safarapi.com (your team’s dashboard)Magic link → Keycloak realm safarapi-partners, MFA enforced
Internal Safariat staff surfaces are isolated from the partner perimeter (separate authentication, MFA, and IP allow-listing).

Conformity

StandardStatus
RGPD / Loi marocaine 09‑08Signed — available on request
Bank Al‑Maghrib externalisation requirementsAvailable — documentation pack under NDA
ISO 27001In preparation — target Q4 2026
SOC 2 Type IIn preparation — target Q4 2026
PCI DSSNot applicable — SafarAPI never handles card data; your bank’s checkout owns PCI scope
On approval for production, your compliance team receives a bundle of attestations (PDF) covering hosting providers, backup attestations, pen‑test summary, and DPA. Annual refresh.

SLA — contractual commitments

MetricCommitment
API uptime monthly99.5 % (= max 3 h 17 min downtime / month)
Latency p95 (reads)< 500 ms
Latency p95 (writes)< 1 s
Latency p99< 2 s
RTO major incident4 hours
RPO15 minutes
Critical incident response time< 1 hour
High‑severity incident response time< 4 hours
Normal severity response time< 1 business day
SLA credits: 5 % of your monthly invoice for each 0.1 % below the uptime target.

Incident handling

Active incidents will be published on status.safarapi.com (being provisioned), with per-component email/webhook subscription. Until then, approved partners are notified directly per the SLA. For security incidents specifically (data breach, suspected compromise), SafarAPI follows a 72‑hour notification SLA aligned with RGPD article 33.

Pen testing

SafarAPI is pen‑tested annually by an independent cabinet. The pen‑test summary is available under NDA on request.

Vulnerability disclosure

Found something? Email security@safarapi.com — we acknowledge within 24 hours and follow responsible disclosure practices.

Common compliance questions

Yes. Our standard DPA covers Morocco (Loi 09‑08) and EU (RGPD) requirements. We can also accept your DPA template after legal review.
All data (bookings, audit log) lives in our CNPG cluster spread across Morocco and EU hosts. Backups in Cloudflare B2 (EU region). No data transits outside this perimeter.
Yes. The full audit log (every API request) is exportable from your console (CSV or JSONL). For compliance audits, your team can also request a specific period extract with cryptographic checksum.
Revoke the key from your console (instant). All subsequent requests with that key return 401. We recommend rotating keys every 90 days as a baseline; mandatory after any suspected exposure.
Yes — configurable per partner from the console. Requests from non‑allowlisted IPs return 403 with an audit log entry. We strongly recommend enabling this for production keys.