> ## Documentation Index
> Fetch the complete documentation index at: https://developers.safarapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> What your compliance team needs to know

SafarAPI is built for regulated financial institutions. This page covers the security and compliance posture in the level of detail your internal audit and legal teams expect.

## Data residency

* **Database**: PostgreSQL CNPG cluster, replicated across hosts in Morocco and the EU.
* **Object storage**: Cloudflare R2 (EU region for object storage, edge cache global).
* **Backups**: double pipeline — incremental WAL streaming to B2 (RPO ≈ 5 min) + daily logical pg\_dump to a separate S3‑compatible store (RPO 24 h).
* **Audit log**: retained 7 years in WORM (Cloudflare R2 Object Lock).

## Encryption

| Layer                          | Mechanism                                                |
| ------------------------------ | -------------------------------------------------------- |
| Transit (your bank ↔ SafarAPI) | TLS 1.3 only, HSTS preload                               |
| API key secrets at rest        | Argon2id (memory cost 64 MiB, iterations 3)              |
| Database backups               | AES‑256 server‑side encryption                           |
| Sealed Secrets (K3s)           | Bitnami Sealed Secrets, controller key rotation annually |

## Authentication

| Surface                                              | Method                                                        |
| ---------------------------------------------------- | ------------------------------------------------------------- |
| `api.safarapi.com` (your machine‑to‑machine traffic) | Bearer API key + HMAC SHA256 on writes                        |
| `console.safarapi.com` (your team's dashboard)       | Magic link → Keycloak realm `safarapi-partners`, MFA enforced |

Internal Safariat staff surfaces are isolated from the partner perimeter
(separate authentication, MFA, and IP allow-listing).

## Conformity

| Standard                                     | Status                                                                                 |
| -------------------------------------------- | -------------------------------------------------------------------------------------- |
| RGPD / Loi marocaine 09‑08                   | Signed — available on request                                                          |
| Bank Al‑Maghrib externalisation requirements | Available — documentation pack under NDA                                               |
| ISO 27001                                    | In preparation — target Q4 2026                                                        |
| SOC 2 Type I                                 | In preparation — target Q4 2026                                                        |
| PCI DSS                                      | Not applicable — SafarAPI never handles card data; your bank's checkout owns PCI scope |

<Tip>
  On approval for production, your compliance team receives a **bundle of attestations** (PDF) covering hosting providers, backup attestations, pen‑test summary, and DPA. Annual refresh.
</Tip>

## SLA — contractual commitments

| Metric                               | Commitment                                 |
| ------------------------------------ | ------------------------------------------ |
| API uptime monthly                   | 99.5 % (= max 3 h 17 min downtime / month) |
| Latency p95 (reads)                  | \< 500 ms                                  |
| Latency p95 (writes)                 | \< 1 s                                     |
| Latency p99                          | \< 2 s                                     |
| RTO major incident                   | 4 hours                                    |
| RPO                                  | 15 minutes                                 |
| Critical incident response time      | \< 1 hour                                  |
| High‑severity incident response time | \< 4 hours                                 |
| Normal severity response time        | \< 1 business day                          |

SLA credits: **5 % of your monthly invoice for each 0.1 % below the uptime target.**

## Incident handling

Active incidents will be published on `status.safarapi.com` (being provisioned), with per-component email/webhook subscription. Until then, approved partners are notified directly per the SLA.

For security incidents specifically (data breach, suspected compromise), SafarAPI follows a 72‑hour notification SLA aligned with RGPD article 33.

## Pen testing

SafarAPI is pen‑tested annually by an independent cabinet. The pen‑test summary is available under NDA on request.

## Vulnerability disclosure

Found something? Email [security@safarapi.com](mailto:security@safarapi.com) — we acknowledge within 24 hours and follow responsible disclosure practices.

## Common compliance questions

<AccordionGroup>
  <Accordion title="Can SafarAPI sign our Data Processing Agreement?">
    Yes. Our standard DPA covers Morocco (Loi 09‑08) and EU (RGPD) requirements. We can also accept your DPA template after legal review.
  </Accordion>

  <Accordion title="Where is customer data stored?">
    All data (bookings, audit log) lives in our CNPG cluster spread across Morocco and EU hosts. Backups in Cloudflare B2 (EU region). No data transits outside this perimeter.
  </Accordion>

  <Accordion title="Can we audit the audit log?">
    Yes. The full audit log (every API request) is exportable from your console (CSV or JSONL). For compliance audits, your team can also request a specific period extract with cryptographic checksum.
  </Accordion>

  <Accordion title="What happens if our API key is compromised?">
    Revoke the key from your console (instant). All subsequent requests with that key return 401. We recommend rotating keys every 90 days as a baseline; mandatory after any suspected exposure.
  </Accordion>

  <Accordion title="Do you offer IP allowlisting?">
    Yes — configurable per partner from the console. Requests from non‑allowlisted IPs return 403 with an audit log entry. We strongly recommend enabling this for production keys.
  </Accordion>
</AccordionGroup>
