Security and privacy are core to how Haaafla is built. This page describes the controls that are actually in place today — we do not list certifications we have not earned or controls we have not implemented.
Haaafla is built, run and managed by ChrisDevCode Technologies. If you have a security question or want to report a vulnerability, see “Responsible disclosure” below.
All traffic between your browser and Haaafla is served over HTTPS (TLS). Plain-HTTP requests are redirected to HTTPS in production.
We enforce HTTP Strict Transport Security (HSTS) with a one-year max-age, includeSubDomains and preload, so browsers only ever connect over HTTPS.
Session and CSRF cookies are marked Secure (sent only over HTTPS), and the platform uses CSRF protection on authenticated actions.
Payments are processed by Paystack, a PCI-DSS Level 1 certified payment provider. Card details are entered on the processor’s secure, hosted checkout — they are never seen, handled, or stored on Haaafla’s servers.
We store only a payment reference, amount, and status for each transaction; no card numbers (PANs) or full payment instruments are persisted by Haaafla.
Supported methods (via Paystack) include M-Pesa, card, and bank transfer.
Account passwords are never stored in plaintext. They are hashed using a salted, one-way algorithm (PBKDF2) so the original password cannot be recovered from our records.
Password-strength checks (minimum length, common-password and similarity validation) are applied when accounts are created.
Authorization is enforced on the server. Event organizers can access only their own events, attendees, and sales data; they cannot see or modify another organizer’s data.
Programmatic API access uses API keys that are stored only as a SHA-256 hash, shown once at creation, and expire. The raw key is never stored.
Security response headers are applied across the platform, including a Content-Security-Policy, X-Frame-Options (clickjacking protection), X-Content-Type-Options: nosniff, a strict Referrer-Policy, and a restrictive Permissions-Policy.
API endpoints are rate-limited, with stricter limits on sensitive actions such as checkout, reservations, and award nominations/votes.
Public actions that are prone to abuse (award nominations and votes) are protected by Cloudflare Turnstile bot challenges.
Application secrets and credentials are loaded from environment variables and are never committed to source code.
We handle personal data in line with the Kenya Data Protection Act, 2019.
For attendee and event data processed on behalf of event organizers, Haaafla generally acts as a Data Processor and the organizer is the Data Controller. For the account data of our own users, Haaafla is the Data Controller.
When you delete your account, we remove your personal data within 30 days, except where we are required to retain it by law. See our Privacy Policy for full details.
If we become aware of a personal-data breach that affects you, we are committed to notifying affected users and the relevant supervisory authority without undue delay, and within 72 hours of becoming aware of the breach where feasible.
If you believe you have found a security vulnerability, please report it privately to [email protected] or message us on WhatsApp.
Please give us a reasonable chance to investigate and fix the issue before disclosing it publicly. Do not access, modify, or delete data that is not yours, and avoid tests that degrade the service for others. We appreciate good-faith research and will work with you on a fix.
We are transparent about what is not yet in place. Two-factor authentication for accounts and formal third-party certification (such as ISO 27001 or SOC 2) are on our roadmap but are not implemented today, and we will not display certification badges until they are independently verified.