SafarAPI is built for regulated financial institutions. This page covers the security and compliance posture in the level of detail your internal audit and legal teams expect.Documentation Index
Fetch the complete documentation index at: https://developers.safarapi.com/llms.txt
Use this file to discover all available pages before exploring further.
Data residency
- Database : PostgreSQL CNPG cluster, replicated across hosts in Morocco and the EU.
- Object storage : Cloudflare R2 (EU region for object storage, edge cache global).
- Backups : double pipeline — incremental WAL streaming to B2 (RPO ≈ 5 min) + daily logical pg_dump to a separate S3‑compatible store (RPO 24 h).
- Audit log : retained 7 years in WORM (Cloudflare R2 Object Lock).
Encryption
| Layer | Mechanism |
|---|---|
| Transit (your bank ↔ SafarAPI) | TLS 1.3 only, HSTS preload |
| API key secrets at rest | Argon2id (memory cost 64 MiB, iterations 3) |
| Database backups | AES‑256 server‑side encryption |
| Sealed Secrets (K3s) | Bitnami Sealed Secrets, controller key rotation annually |
Authentication
| Surface | Method |
|---|---|
api.safarapi.com (your machine‑to‑machine traffic) | Bearer API key + HMAC SHA256 on writes |
console.safarapi.com (your team’s dashboard) | Magic link → Keycloak realm safarapi-partners, MFA enforced |
admin.safarapi.com (SafarAPI internal staff) | Keycloak SSO + MFA + IP allowlist |
Conformity
| Standard | Status |
|---|---|
| RGPD / Loi marocaine 09‑08 | ✅ DPA signed available on request |
| Bank Al‑Maghrib externalisation requirements | ✅ Compliance documentation pack available under NDA |
| ISO 27001 | 🟡 In preparation, target Q4 2026 |
| SOC 2 Type I | 🟡 In preparation, target Q4 2026 |
| PCI DSS | ⚪ N/A — SafarAPI never handles card data; your bank’s checkout owns PCI scope |
SLA — contractual commitments
| Metric | Commitment |
|---|---|
| API uptime monthly | 99.5 % (= max 3 h 17 min downtime / month) |
| Latency p95 (reads) | < 500 ms |
| Latency p95 (writes) | < 1 s |
| Latency p99 | < 2 s |
| RTO major incident | 4 hours |
| RPO | 15 minutes |
| Critical incident response time | < 1 hour |
| High‑severity incident response time | < 4 hours |
| Normal severity response time | < 1 business day |
Incident handling
Active incidents are published in real time on status.safarapi.com. You can subscribe to email or webhook notifications per component. For security incidents specifically (data breach, suspected compromise), SafarAPI follows a 72‑hour notification SLA aligned with RGPD article 33.Pen testing
SafarAPI is pen‑tested annually by an independent cabinet. The pen‑test summary is available under NDA on request.Vulnerability disclosure
Found something? Email security@safarapi.com — we acknowledge within 24 hours and follow responsible disclosure practices.Common compliance questions
Can SafarAPI sign our Data Processing Agreement?
Can SafarAPI sign our Data Processing Agreement?
Yes. Our standard DPA covers Morocco (Loi 09‑08) and EU (RGPD) requirements. We can also accept your DPA template after legal review.
Where is customer data stored?
Where is customer data stored?
All data (bookings, audit log) lives in our CNPG cluster spread across Morocco and EU hosts. Backups in Cloudflare B2 (EU region). No data transits outside this perimeter.
Can we audit the audit log?
Can we audit the audit log?
Yes. The full audit log (every API request) is exportable from your console (CSV or JSONL). For compliance audits, your team can also request a specific period extract with cryptographic checksum.
What happens if our API key is compromised?
What happens if our API key is compromised?
Revoke the key from your console (instant). All subsequent requests with that key return 401. We recommend rotating keys every 90 days as a baseline; mandatory after any suspected exposure.
Do you offer IP allowlisting?
Do you offer IP allowlisting?
Yes — configurable per partner from the console. Requests from non‑allowlisted IPs return 403 with an audit log entry. We strongly recommend enabling this for production keys.