Security — Electrik.NG

Security is not an afterthought at Electrik.NG — it is built into every layer of the platform, from how we store your password to how we verify payment webhooks. This page describes the measures we take and what you can do to keep your account secure.

How we protect you

🔐

Encrypted in transit

All traffic between your browser and our servers uses TLS 1.2 or higher. Connections over plain HTTP are automatically redirected to HTTPS.

🔑

Hashed passwords

Passwords are hashed using PBKDF2 with a random per-user salt. We never store or have access to your plain-text password.

💳

No card data stored

Card numbers, CVVs, and bank credentials are processed entirely by Paystack (PCI DSS compliant). They never touch our servers.

🛡️

CSRF protection

Every form submission is protected by an anti-forgery token. Requests without a valid token are rejected before any action is taken.

✅

Webhook verification

Paystack and WhatsApp webhook payloads are verified using HMAC-SHA256 signatures before any funds are moved or tokens are delivered.

📵

Phone numbers hashed

WhatsApp phone numbers are stored only as SHA-256 hashes. We cannot reverse the hash to recover your original number.

🔒

Encrypted credentials

All third-party API keys are encrypted at rest using ASP.NET Core Data Protection and are only decrypted inside isolated service components.

🕵️

Rate limiting

📋

Full audit logging

All administrative actions are recorded in a tamper-evident audit log with actor ID, timestamp, and IP address.

What you can do to stay secure

Use a strong, unique password. A password manager makes this easy. Avoid reusing the same password across multiple services.

Verify the URL: always ensure you are on electrik.ng before entering your login credentials or payment details. We will never ask for your password by email or SMS.
Watch for phishing: we only send emails from the @electrik.ng domain. Any email claiming to be from Electrik.NG from another domain is fraudulent — do not click any links in it.
Keep your WhatsApp secure: if your phone is lost or stolen, unlink your WhatsApp account immediately from our website or by emailing support. Your WhatsApp bot access is tied to your phone number — anyone with physical access to your device could potentially send bot commands.
Log out on shared devices: always log out after using Electrik.NG on a device you share with others.
Check your transaction history regularly: if you notice any transaction you did not authorise, contact us immediately at support@electrik.ng.

Responsible disclosure

Found a security vulnerability?

We welcome responsible disclosure from security researchers and the wider community. If you discover a vulnerability in our platform, please report it privately so we can fix it before it is exploited.

Email your findings to security@electrik.ng with a clear description of the vulnerability, steps to reproduce, and the potential impact.
We will acknowledge your report within 2 business days and provide an estimated timeline for investigation and remediation.
Please give us a reasonable amount of time to address the issue before any public disclosure. We ask for at least 30 days.
Do not access, modify, or exfiltrate user data beyond what is necessary to demonstrate the vulnerability.

We will credit researchers who responsibly disclose valid vulnerabilities, where they wish to be credited.

Contact

To report a security issue: security@electrik.ng

For general account security concerns: support@electrik.ng

Security at Electrik.NG