Section 01
Data Encryption
Encryption at Rest
All data stored on our servers is encrypted using AES-256 encryption — the same standard used by banks and governments worldwide. This includes:
- Passport scans and identity documents
- Financial information and payment details
- Personal data (names, addresses, contact information)
- Application forms and supporting documents
- Communication history and messages
Encryption in Transit
All data transmitted between your device and our servers uses TLS 1.3 encryption with perfect forward secrecy.
- Your data cannot be intercepted during transmission
- Even if encryption keys are compromised, past communications remain secure
- All API communications are encrypted end-to-end
With 256-bit AES encryption, it would take a supercomputer billions of years to crack your data. Your passport and personal documents are more secure with us than in a physical safe.
Section 02
Compliance & Certifications
SwiftPass maintains the highest security standards through independent audits and certifications:
SOC 2 Type II
Independently audited to verify our security controls, data handling practices, and compliance with industry standards. Audited annually by third-party security firms.
ISO 27001 Certified
International standard for information security management systems. Covers all aspects of data security, risk management, and business continuity.
GDPR Compliant
Full compliance with the European Union's General Data Protection Regulation. Your data privacy rights are protected regardless of where you're located.
CCPA Compliant
Compliant with the California Consumer Privacy Act. California residents have full control over their personal information.
PCI DSS Level 1
Payment Card Industry Data Security Standard compliance through our payment processors. We never store your card information on our servers.
Section 03
Infrastructure Security
Cloud Infrastructure
SwiftPass runs on Amazon Web Services (AWS), the world's most secure and reliable cloud infrastructure:
- Multi-region redundancy: Data replicated across multiple AWS regions for maximum availability
- DDoS protection: AWS Shield protects against distributed denial-of-service attacks
- Physical security: AWS data centres have military-grade physical security
- Network isolation: Applications run in isolated Virtual Private Clouds (VPCs)
- Automated backups: Continuous backups with point-in-time recovery
Database Security
- Encrypted at rest with AES-256
- Encrypted in transit with TLS 1.3
- Network isolation — no direct internet access
- Automated daily backups retained for 30 days
- Read replicas for disaster recovery
Application Security
- Protection against OWASP Top 10 vulnerabilities
- SQL injection prevention through parameterized queries
- Cross-site scripting (XSS) protection
- Cross-site request forgery (CSRF) protection
- Rate limiting and abuse prevention
- Secure session management with encrypted tokens
Section 04
Access Controls
User Account Security
- Password requirements: Minimum 8 characters with complexity requirements
- Bcrypt hashing: Passwords hashed with industry-standard algorithms
- Account lockout: Automatic lockout after failed login attempts
- Session timeout: Automatic logout after inactivity
- Device tracking: Monitor and manage logged-in devices
Administrative Access
- Role-based access control (RBAC): Employees only access data necessary for their role
- Two-factor authentication (2FA): Required for all employees
- Audit logging: All data access is logged and monitored
- Just-in-time access: Temporary elevated permissions that expire automatically
- Zero standing privileges: No permanent admin access to production systems
Principle of least privilege: Team members can only access the minimum data required for their job. Customer support staff cannot access passport scans or payment information. Financial data is completely isolated from operational staff.
Section 05
Monitoring & Incident Response
24/7 Security Monitoring
- Real-time intrusion detection systems (IDS)
- Automated threat intelligence feeds
- Anomaly detection using machine learning
- Log aggregation and correlation analysis
- Uptime monitoring with instant alerts
Incident Response Plan
Detection & Triage (Within minutes)
Automated systems detect anomalies and alert our security team immediately.
Containment (Within 1 hour)
Isolate affected systems to prevent spread while maintaining service availability.
Investigation (Ongoing)
Forensic analysis to understand the scope and impact of the incident.
Notification (Within 72 hours)
Notify affected users and relevant authorities as required by law.
Remediation & Prevention
Fix vulnerabilities and implement measures to prevent future incidents.
Penetration Testing
- Annual third-party penetration testing
- Quarterly internal security audits
- Continuous vulnerability scanning
- Bug bounty programme for responsible disclosure
Section 06
Third-Party Security
We work with carefully vetted partners who meet our strict security standards:
Payment Processing: Stripe
PCI DSS Level 1 certified. Your card information never touches our servers.
Payment Processing: DPO Group
Africa-focused payment gateway. PCI DSS compliant. Supports card payments across 54 African countries.
Payment Processing: M-Pesa
Mobile money payment integration for Kenya, Tanzania, and other East African markets. Encrypted transaction processing.
Infrastructure: AWS
SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1 certified.
Email: Postmark
SOC 2 Type II certified transactional email provider. All emails encrypted in transit.
Vendor Security Requirements
- Maintain SOC 2 Type II or equivalent certification
- Sign data processing agreements (DPAs)
- Undergo annual security reviews
- Provide proof of insurance and liability coverage
- Implement encryption at rest and in transit
Section 07
Document Security
Secure Document Upload
When you upload documents (passport scans, photos, supporting documents):
- Files are encrypted during upload using TLS 1.3
- Virus scanning performed on all uploads
- File type validation to prevent malicious uploads
- Encrypted storage with AES-256 immediately after upload
Document Retention
- Active applications: Documents retained until visa processing is complete
- Completed applications: Retained for 90 days after completion (for support queries)
- Automatic deletion: Documents permanently deleted after retention period
- User deletion: You can request document deletion at any time
Secure Deletion
- Files are permanently deleted from all servers and backups
- Encryption keys are destroyed, making recovery impossible
- Deletion is logged for audit purposes
- Compliant with GDPR "right to be forgotten"
Section 08
Employee Security
Background Checks
- Comprehensive background checks before employment
- Criminal record verification
- Employment history verification
- Reference checks
Security Training
- Security awareness training during onboarding
- Quarterly security refresher courses
- Phishing simulation exercises
- Data handling best practices
- Incident response training
Device Security
- Full disk encryption on all work devices
- Mobile device management (MDM)
- Automatic security updates
- Anti-malware software
- Remote wipe capability for lost or stolen devices
Offboarding Process
- All access immediately revoked on last day
- Company devices returned and securely wiped
- Non-disclosure agreements remain in effect
- Exit interviews conducted
Section 09
Disaster Recovery & Business Continuity
Backup Strategy
- Continuous backups: Database changes replicated in real-time
- Daily snapshots: Full system backups retained for 30 days
- Weekly archival: Long-term backups retained for 1 year
- Multi-region storage: Backups stored in geographically separate AWS regions
- Encrypted backups: All backups encrypted with AES-256
Recovery Objectives
RTO (Recovery Time Objective)
Service restored within 4 hours
RPO (Recovery Point Objective)
Maximum 15 minutes of data loss
Automatic Failover
Traffic routed to backup systems instantly
Business Continuity Plan
- Critical operations can continue during disruptions
- Clear escalation procedures for major incidents
- Regular disaster recovery drills (quarterly)
- Alternative work arrangements for team members
- Communication plans for customer notifications
Section 10
Security Updates & Patching
Patch Management
Critical patches
Applied within 24 hours of release
Security patches
Applied within 7 days
Regular updates
Monthly maintenance windows
Zero-day response
Emergency patching procedures
Dependency Management
- Scanned for known vulnerabilities
- Updated regularly to latest secure versions
- Monitored for security advisories
- Version-pinned to prevent supply chain attacks
Section 11
Report a Security Vulnerability
We take security reports seriously and appreciate responsible disclosure. If you've discovered a vulnerability in SwiftPass, please report it to us directly.
How to Report
- Email: security@swiftpassimmigration.com
- Subject line: "Security Vulnerability Report"
- Include: Detailed description, steps to reproduce, potential impact
Our Commitment
- We will respond within 24 hours
- We will keep you updated on our investigation
- We will credit you (if desired) once the issue is resolved
- We will not pursue legal action against good-faith security researchers
Responsible Disclosure Guidelines
- Do not access user data beyond what is necessary to demonstrate the vulnerability
- Do not perform attacks that could degrade service quality
- Do not publicly disclose the vulnerability until we have had time to fix it
- Give us reasonable time to address the issue (typically 90 days)
SwiftPass Global LLC — Security Team
Security Inquiries
security@swiftpassimmigration.comCustomer Support
support@swiftpassimmigration.com